1 | initial version |
What Wireshark can do is look at network traffic, i.e., packets going into and out of your system. By analysing these packets it can try to reconstruct transport connections, using TCP and UDP, etc. In these transport connections it can try to look for protocols that are used for file transfer, e.g., (T)FTP, SMB or HTTP. In these transfer sessions it may be able to find the files being transferred.
Note the many tries and maybe's in this text. If all this was done in the clear everyone with access to the transport connection would be able to see these files too, something which is not desirable. Therefore encryption comes into play. The protocols for file transfer may be encapsulated in an encryption layer (TLS for instance), making analysis significantly harder.
In such cases other analysis, that of metadata, may become necessary. E.g., looking for connections to known C&C nodes. Or traffic unrelated to normal operating processes of the system. You see that we get far away from just trying to look at a file transfer. Sure, it may be the case it's in the clear, but as always, it depends on the specifics.