ngrep is a powerful tool for real time searching and filtering network packets. According to the Linux man page:
ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump(8) and snoop(1).
The first thing you will need to do is install some kind of FTP server. For this example I used vsftp.
Installing vsftpd with apt:
apt-get install vsftpd
Installing vsftpd with yum:
yum install vsftpd
The second thing you will need to do is install ngrep.
Installing ngrep with apt:
apt-get install ngrep
Installing ngrep with yum:
yum install ngrep
For the best results you will also need two computers. I used two Raspberry Pis.
On the FTP server (target box) fire up ngrep with the following command (image 1):
sudo ngrep -d <interface> port 21
On the client box log into the FTP server as you normally would (image 2):
ftp <server name/ip>
When prompted enter your user name
When prompted enter your password
Check the results on the target box (image 3). As you can see on the target box highlighted with the white circles is the FTP username (ftpaccount) and the password (1234).