Source: VMware Blogs.
Port mirroring is the capability on a network switch to send a copy of network packets seen on a switch port to a network-monitoring device connected to another switch port. Port mirroring is also referred to as Switch Port Analyzer (SPAN) on Cisco switches. In VMware vSphere 5, a Distributed Switch provides a similar port mirroring capability that is available on a physical network switch. After a port mirror session is configured with a destination—a virtual machine, a vmknic or an uplink port—the Distributed Switch copies packets to the destination.
Port mirroring provides visibility into
• Intrahost virtual machine traffic (virtual machine–to–virtual machine traffic on the same host)
• Interhost virtual machine traffic (virtual machine–to–virtual machine traffic on different hosts)
Figure below shows different types of traffic flows that can be monitored when a virtual machine on a host acts as a destination or monitoring device. All traffic shown by the orange dotted line with arrow is mirrored traffic that is sent to the destination virtual machine.
The terms Ingress source and Egress source are with respect to the VDS. For example, when you want to monitor the traffic that is going out of a virtual machine towards the VDS, it is called Ingress Source traffic. The traffic seeks ingress to the VDS and hence the source is called Ingress. If you want to monitor traffic that is received by a virtual machine, then configure the port mirroring session with the traffic source as Egress Source as shown in the top right corner diagram of the figure below.