Great point! I have used netflow in the past and it works just as well or better in some cases. I wrote this mostly from the lens of a SOC analyst. Moloch provides the ability to do the indexing AND full packet capture, providing more information when triaging events.