I needed to sniff for a specific HEX sequence, namely
AC ED 00 05 which signifies the start of a serialised Java object. It doesn’t appear to be possible to do this with
tcpdump nor with
ngrep, but I got it working by using
tshark as follows:
tshark -i lo -Y "data.data contains AC:ED:00:05"
-Y wasn’t supported on an older version of
tshark -i eth0 -R "data.data contains AC:ED:00:05"