tcpdump and ngrep are both based on libpcap. Therefore both use the same filter expressions.

Here is the manual page of the ⇒pcap filter expression.

These filter expressions are also used in FortiGate’s diag sniffer packet command.