From the home page "ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets.

It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop."

Example usage:

• ngrep

No arguments. Shows all traffic going through the default network card.
• ngrep -qd eth1 'HTTP' tcp port 80

Be quiet, look only at tcp packets with either source or dest port 80 on interface eth1, look for anything matching 'HTTP'.
• ngrep -qd le0 port 53

Watch all tcp and udp port 53 (nameserver) traffic on interface le0. Be quiet.
• ngrep 'USER|PASS' tcp port 21

Look only at tcp packets with either source or dest port 21, look for anything resembling an FTP login.
• ngrep -wiA 2 'user|pass' tcp port 21

Alternatively, match either 'user' or 'pass' case insensitively, and dump the next 2 packets following (that match the bpf filter).

There's also a manfile included which explains the usage in more detail.