How to Apply VXLAN-GBP Encapsulation to PCAP Files Using PacketSmith
Introduction
In version 5.1.0 (codenamed Taxus), released on March 16, 2026, the injection engine has undergone a significant evolution, transitioning from basic command-line parameters to a robust, template-driven architecture. Injections are now orchestrated via external JSON objects, enabling highly customizable repeatable traffic generation.
Before version 5.1.0, PacketSmith already supported injecting DNS query and response packets, VLAN encapsulation layer, and TCP handshake packets, and in the latest release, v5.1.0, we've added support for injecting VXLAN-GBP (Virtual Extensible LAN) encapsulation layer, encapsulating the entire (original) frame over UDP. The VXLAN outer layers consist of an Ethernet layer, IPv4 or IPv6 layer, and a UDP layer that carries the VXLAN header and the encapsulated frame. All of the outer layers’ attributes are customizable via the JSON object “vxlan”, including every flag in the GBP extension and the rest of the fields. Furthermore, PacketSmith can dynamically calculate the outer UDP source port based on the inner 5-tuple. Users can choose from several industry-standard hashing algorithms, including Jenkins, Toeplitz, CRC16, CRC32, and XOR.
VXLAN-GBP Encapsulation Using PacketSmith
To encapsulate all the original frames in a pcap with a VXLAN-GBP (Virtual Extensible LAN) encapsulation layer, refer to the file "inject_templates\inj_tpl.json" that resides in the same directory as the PacketSmith executable. The relevant configuration is defined within the vxlan object, located under the inject → layers path in the JSON schema (the 't' notation indicates the required data type for each corresponding key) :
{
// encapsulate the original frame inside a VXLAN layer
"name": "vxlan",
"outer_layers":
{
"ethernet":
{
// t:str
"src_mac": "00:0c:29:e3:c6:4d",
// t:str
"dst_mac" : "00:0c:29:da:d1:de",
// t:str
"eth_type": "ipv4" // "ipv4" or "ipv6"
},
"ipv4":
{
// t:str
"src_ip": "192.168.0.1",
// t:str
"dst_ip": "192.168.0.2",
// t:int
"ttl": 64
},
"ipv6":
{
// t:str
"src_ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
// t:str
"dst_ip": "2001:db8::ff00:42:8329",
// t:int
"hop_limit": 64
},
"udp":
{
// t:int
"src_port": 1234,
// t:str - hash functions: "jenkins", "toeplitz", "crc16", "crc32", "xor", "none"
// if "none", then the source port is set to the static port in "src_port"
"src_port_hash": "toeplitz",
// t:int
"dst_port": 4789
}
},
"flags":
{
// t:bool
"gbp_extension": false,
// t:bool
"vni": true,
// t:bool
"dont_learn": false,
// t:bool
"policy_applied": false,
// t:int
"reserved": 0
},
// t:int
"group_policy_id": 48,
// t:int
"vni": 6969,
// t:int
"reserved": 0
}
All the JSON key values are mutable, providing granular control over all outer-layer parameters. This includes exhaustive support for the GBP extension flags, ensuring every field can be customized to meet specific network requirements.
Let's take the following TCP packet as an example:
To VXLAN-GBP encapsulate it, we use the following command line options:
PacketSmith.exe --infile <input_pcap> --outfile <output_pcap> --inject layer:vxlan --checksum
Using the above JSON object, we get the following output:
Conclusion
In summary, we have shown how to wrap original PCAP frames with a VXLAN-GBP layer. The shift to a JSON-driven injection engine enables users to define complex tunnelling parameters in a structured format, thereby facilitating consistent, scalable network simulations.
Author: Mohamad Mokbel
First release: March 16, 2026