It may be a job for deep packet inspection. Instead of running Wireshark on the NetFlow server setup a SPAN or mirror port and get a copy of the traffic going to and from the router which is exporting the NetFlow data. You then need to connect that SPAN port to NPM 11.x which has QoE running or if you want an even deeper dive into the traffic try something like LANGuardian which can extract application and other metadata so you can pinpoint what those flows are.