Can a packet sniffer view the contents of a user opening a word doc - see the contecnt of a file

Not if IPSec is enabled at both ends.

https://www.geeksforgeeks.org/computer-network-ip-security-ipsec/

And even less so if IPSec is enabled and SMB v3 is used with encryption enabled.

https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-security

However, if someone has attached and dug in on your wired network to a point where they can put a packet sniffer on it for any length of time, then all bets about security are off because one of your employees is corrupt and they've already handed over all the information they can about your network.

If encryption isn't enabled then yes you can. Install Wireshark on your PC and see what it captures.

Should be able for non encrypted traffic and even offline pcap analysis  example networkminer

https://www.netresec.com/?page=networkminer

Extract files from FTP, TFTP, HTTP, SMB, SMB2, SMTP, POP3 and IMAP traffic

Extract X.509 certificates from SSL encrypted traffic like HTTPS, SMTPS, IMAPS, POP3S, FTPS etc

Likewise for Wireshark, you can drill down in the packet you want, depending on the protocol.

Right click > Export selected bytes

ok I have wireshark on my pc - If I open a word document how do I see the content of this file in wireshark please?

Just kick off opening a word document across the network, start capturing packets, then stop once the document is open. (try to do this quickly, to minimize the number of packets to sort through). Filter on port 445, and start  viewing packets. It would be difficult to reconstruct the entire document, but you should see recognisable fragments of text.

thanks if I filter on 445 - I see nothing - if I filter on smb2 I see traffic - when I view analyse tcp stream I see doc heading/name in clear text somewhere in the gibberish  - what I need to know is the way to go about it - is smb2 the best filter - how do I capture the whole document - presuming no encryption - which there isn't? - do I need to dump all the wireshark data into another product - or is it just not possible?

cheers

In short:

-attackers have a very hard time, any way you put it. You don't expect an attacker to have access to the mirror port of a network switch, do you (do you know, what a mirror port is? Please inform about that)?
-without a mirror port, sniffing works with arp poisoning/IP spoofing (whatever you like to call it). If the legitimate target for the data is running, an attacker will be able to get that IP but the attack will not get by unnoticed - try it out. The legitimate computer will get unbearably slow. Try it.

-Countermeasures have been mentioned: SMBv3 (by default: encryption is off!), IPsec (secure firewall rules using the windows firewall with kerberos authentication)

->if the data is encrypted at the server drive or not does not matter.

Thanks Mcknife for comments. Yes I realise its difficult for attackers. The question is not around how difficult it might be. The question is
around demonstrating that I can in fact rebuild a document using wireshark myself (having all the access to ports etc that I require).
smb encryption is off (yes) - So can I use a sniffing tool to see the entire contents of a document I open across the network? and how do I go about it?

lets say for argument sake that an insider threat exists (that insider is a domain and full network admin) with all the access he requires.

Thanks all

No, you can't do that unless you are an expert in this attack type. Just wireshark alone will not let you reconstruct text.

There is past sharing of carving the file but it is also not straightforward

https://chrissanders.org/2011/11/packet-carving-with-smb-and-smb2/

https://osqa-ask.wireshark.org/questions/9618/reconstructcreate-a-stream-file-from-pcap

Or consider trying out other tool in my earlier post

https://www.netresec.com/?page=Blog&month=2017-03&post=Enable-file-extraction-from-PCAP-with-NetworkMiner-in-six-st