I have checked the requirements which you have but we really cannot make the switch to just receive traffic and not to send it acrross. If we talk about a layer 3 or a layer 2 traffic that cannot be limited on the port itselft. I have tried thinking of many ways but didn't came across any which accomplish this.
SPAN/RSPAN is the only way byt which we can make the port to just receive/listen to the traffic but not to forward any kind of traffic.
Make your toplogy a little simple in this case. Donot inter-connect all these switch , let these switches connect back to 3560 switch as the spoke-only. Configure the SPAN and monitor all the ports. that's the only way you can make this solution work, else no receive only option.
As i said i thought about VACL as an option but as we know VACLs provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN. Unlike regular Cisco IOS ACLs that are configured on router interfaces and applied on routed packets only, VACLs apply to all packets. So we reaaly cannot distinguish the packets which are coming in and going out.
Also the spanning tree blocked ports will never get packets as they are blocked.