Since you have Gen-1 hardware, I'm afraid the choices are limited.
I have some thoughts...but I will add this disclaimer that everything I suggest is either only a partial answer, or an annoying workaround. But I suppose some info is better than no info.
1. In the Operations Tab >> Visibility and Troubleshooting in APIC, you could enter source and destination EPs and look at all the resulting output, like logs, contract hits, faults, events, atomic counters, etc. This tool is limited in that it only shows you and analysis of one source IP to one destination IP (and vice versa). Which leads me to option 2 as it is related...
2. In the V&T tool one of the choices is SPAN...which is actually a very easy way to tell the fabric to capture traffic from anywhere in the fabric and send to some other EP in the fabric (or outside the fabric). This is effectively ERSPAN and the tool makes it super easy to setup. Same limits here in that you are sending the traffic of one set of EPs. Yes, it is possible to use SPAN/ERSPAN outside this tool to capture using more and broader options. I get that spanning traffic may not be what you asked about....
3. You do have the ability to log contract deny or contract allow messages. These messages will tell you a lot of info, like IP/MAC, VRF, ports used. The limit here is that we cap the number of logs to 500/second, so it is a limited tool that you enable/disable when you need it for most use cases. You can see these logs of permit or deny (or both) in the System > Events window. Note, to see these logs you do need to do some basic configuration. They are not on by default.
