So while ESX 3.5 (not sure about i) may have tcpdump and tcpslice:
[root@esx root]# tcp
tcpd tcpdump tcpslice
They’re of limited use, at least with the way ESX implements networking, vSwitches after all, are good and proper layer 2 devices. Now, that is not to say you couldn’t do something with arp poisoning, but… that’s cheating. Well, maybe not so much, but guest methods of doing this are a bit beyond scope, and frankly, depending on VLANS, Port groups, etc, could be hard to manage, and may place undue stress on the ESX server (all those nasty poisoned arp requests, and keeping track of them, etc. ).
So there is an answer: Solera V2P tap
This works essentially the same as any other network tap would and exposes all of the traffic on the virtual switch to your existing auditing/security infrastructure. Post in the comments if there is interest in me covering some guest methods for getting the same info.