I needed to sniff for a specific HEX sequence, namely AC ED 00 05 which signifies the start of a serialised Java object. It doesn’t appear to be possible to do this with tcpdump nor with ngrep, but I got it working by using tshark as follows:

tshark -i lo -Y "data.data contains AC:ED:00:05"

-Y wasn’t supported on an older version of tshark but -R worked:

tshark -i eth0 -R "data.data contains AC:ED:00:05"