Port mirroring question

Quick one for you folks, need clarification about traffic direction.

1. Ingress means coming into the vDS, so coming out of a port (say VM1). So we mirror traffic coming out of VM1, correct?
2. Egress means coming to VM1, correct? So traffic bound for VM1?

I've read a few blog posts on VMware.com but this wasnt completely clear.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

Essendon

Testing out port mirroring in my lab Dave. I dont know where you'd use one over the other apart from the different options available in either. Can you shed some light?

Thanks for the answer.

dave330i

Essendon wrote: »

Testing out port mirroring in my lab Dave. I dont know where you'd use one over the other apart from the different options available in either. Can you shed some light?

Thanks for the answer.

Best use case I've read about port mirroring is for IDS. Netflow is for netflow analyzer.

Essendon

Cheers mate, just read that too.

TheNewITGuy

You would use port mirroring to mirror traffic

IDS/Call Captures/Wireshark etc. Egress is exiting and Ingress is coming in, depending on the device we're mirroring. So say we have vmgroup tied to vmnic1 and we're passing vlan 20,30,40 off the servers in that group. We can setup a SPAN port on the switch to mirror traffic for that particular vlan. So ingress would be into the switch and egress would be sent to the host.

We can then set up an appliance on the span port to capture the L2 traffic of that vlan.