With port mirroring available on virtual distributed switches (vDS), you can copy network traffic from one virtual port to another virtual port to analyze network traffic from another machine.
For the analysis of network traffic, we will use the free and well-known program "Wireshark", but there are obviously also other tools on the Internet.

1. What is SPAN, RSPAN and ERSPAN?
   1. What is SPAN?
   2. What is RSPAN?
   3. What is ERSPAN?
2. Configuration of the VMs used
3. Download and install Wireshark
4. Configure the remote VM to use Wireshark
5. Enable port mirroring
6. Capturing mirrored network traffic

1. What is SPAN, RSPAN and ERSPAN?

Port mirroring on virtual distributed switches (vDS) is possible using SPAN, RSPAN, and ERSPAN developed by Cisco.
SPAN (Switch port Analyzer) is a powerful monitoring system for duplicating network traffic to one or more switch interfaces.

1.1. What is SPAN?

The Local SPAN (Switch port Analyzer) allows you to duplicate network traffic from one or more interfaces (network ports) of a switch to one or more interfaces of the same switch.

1.2. What is RSPAN?

RSPAN (Remote SPAN) allows network traffic to be duplicated from one or more interfaces (network ports) of one or more switches to one or more interfaces of another switch. This is possible through the use of a VLAN ID.
This variant of SPAN makes it easy to centralize monitoring of network traffic on a switch.
RSPAN uses layer 2 of the OSI model.

1.3. What is ERSPAN?

ERSPAN (Encapsulated remote SPAN) also allows network traffic to be duplicated from one or more interfaces of one or more switches to one or more interfaces of another switch. But the advantage is that you can send duplicate network traffic to something that has an IP address.
Indeed, unlike RSPAN, ERSPAN uses layer 3 of the OSI model.

Source : Understanding SPAN,RSPAN,and ERSPAN - Cisco Community.

2. Configuration of the VMs used

For this tutorial, we used 2 virtual machines running Windows 10 that are on the same host.

Important : to be able to follow this tutorial, your 2 virtual machines must be on the same host.
Otherwise, the port mirroring session will not work.

The 1st virtual machine is called "Win 10 v2004 x64 - VM 1 (Wireshark)" and has the IP address "10.0.0.21".
It is on this virtual machine that we will install Wireshark to monitor the network traffic of our 2nd virtual machine.

The 2nd virtual machine is called "Win 10 v2004 x64 - VM 2 (to monitor)" and has the IP address "10.0.0.22".
It is the network traffic of this virtual machine that will be monitored by VM 1.

3. Download and install Wireshark

Wireshark is a very well-known and free network analysis tool that allows you to see all the frames passing through the network.
Preferably, download and install the "Windows Installer" version. Indeed, if you try to use a portable version of Wireshark, you will get an error concerning Npcap or WinPcap which is not installed on your computer.
Npcap and WinPcap are libraries for capturing frames passing through the network. Without these libraries, Wireshark will not be able to work.

Launch the Wireshark installer.

Leave the components checked by default and simply click Next.

Leave the default installation folder.

As noted by the installer, Wireshark requires Npcap or WinPcap to capture network traffic.
Leave the "Install Npcap…" box checked and click Next.

No need to install USBcap in this case as we will not be scanning USB devices.
Just click Install.

The Wireshark installation starts.

The Npcap installer required by Wireshark appears automatically.
Click on: I Agree.

At this step, simply click on Install without changing anything.

Wait while Npcap installs.

Npcap is installed.

Click Finish.

The Wireshark installation continues.

Wireshark is installed.