You need to know if a DLP network monitor can detect FTP traffic in passive (PASV) mode.
An overview of how both FTP modes work:
Normal (Active) FTP
Passive FTP
Network Monitor uses the same information that can be seen through a PCAP-based capture utility, such as Wireshark.
For both types of FTP traffic, the monitor needs to inspect the control connection in order to determine which data connection is associated with it, because the ports vary with every connection. In either case, the system needs full duplex (bidirectional) traffic in its capture stream in order to correctly analyze and detect on FTP traffic.
With normal (active) FTP connections, the outbound PORT command contains the information needed to interpret the data connection. However, the data connection itself is initiated inbound (server to client), and the initiation of that connection will not be visible in an outbound-only traffic stream. Detection may still occur in some cases, since the data itself is visible, but without the whole stream this cannot be considered complete or reliable.
With passive FTP connections, the port number is contained within the inbound response from the server to the client's PASV FTP command. Thus, if the inbound traffic is not visible, the network monitor cannot determine which data connection is associated with the transfer, and no detection will occur.
Bidirectional traffic is a requirement for FTP in general, but for PASV transfers in particular, there is no possibility of detecting file transfers on a simplex capture due to the randomness of the ports and the incomplete information from the control connection.