By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest adapter in promiscuous mode causes it to detect all frames passed on the virtual switch on that host only that are allowed under the VLAN policy for the associated port group. This can be useful for intrusion detection monitoring or if a sniffer needs to be run to analyze all traffic on the wire.

Promiscuous mode is disabled by default, and should not be turned on unless specifically required. Software running inside a virtual machine may be able to monitor any and all traffic moving across a vSwitch if it is allowed to enter promiscuous mode.

VMware ESXi
VMware vSphere

To configure a portgroup or virtual switch to allow promiscuous mode:

1. Log into the ESXi/ESX host or vCenter Server using the vSphere Client.
2. Select the ESXi/ESX host in the inventory.
3. Click the Configuration tab.
4. In the Hardware section, click Networking.
5. Click Properties of the virtual switch for which you want to enable promiscuous mode.
6. Select the virtual switch or portgroup you wish to modify and click Edit.
7. Click the Security tab.
8. From the Promiscuous Mode dropdown menu, click Accept.

Note: The setting on the portgroup overrides the virtual switch setting. For more information, see How promiscuous mode works at the virtual switch and portgroup levels.

You likely need to set the VLAN 4095 at the port group level, which allows the port group to see the traffic on any VLAN while leaving the VLAN tags intact.

Note: From esxcli you can enable promiscuos mode. But this command is only available for Standard Switches and not for Distributed Switches:

# esxcli network vswitch standard policy security set -p true --vswitch-name vSwitchName
The vSwitchName can be retrieved from "esxcli network vswitch standard list"