Abstract: Tactical data links play an increasingly prominent role in modern warfare, especially the US military's data link system, which has consistently been at the forefront of global development. In-depth research on this system is of great practical significance for the development of new data links. This paper analyzes the basic characteristics and technical standards of the US military's data links, preliminarily explores the necessity and feasibility of establishing a data link surveillance system, and presents corresponding implementation schemes, including system principles, structural composition, and functions. The paper focuses on the software design and implementation methods of an Ethernet-based data link surveillance system. Keywords: Data link, Ethernet surveillance, packet capture, decoding 1 Introduction A tactical data link is a data communication system that uses various advanced modulation and demodulation technologies, error correction coding technologies, networking communication technologies, and information fusion technologies to transmit formatted digital information in real time in a bit-oriented manner according to a prescribed message format and communication protocol. The US military's data link system has consistently been at the forefront of global development. Comprehensive research on this system and the design and establishment of an Ethernet surveillance system are of great practical significance for the development of new data links. 2 US Military Tactical Data Link US military data link research began in the 1950s. For more than half a century, the United States and Western countries have continuously developed dozens of data links, with more than ten still in service. The main data links are shown in the table below. Table 1 Main Data Links of the US Military Through research on the US military data links, it is easy to find that they have the characteristics of diverse message formats, wide application platforms, support for many types of services, large link capacity, and high transmission rate. 3 Data Link Ethernet Monitoring System Design 3.1 System Functional Requirements The data link system required by modern warfare is a data network that can connect various platforms and sensors, data processing and command and control units distributed across land, sea, air, space, and cyberspace, as well as various combat units. This network organically organizes various command systems and combat units to form information superiority and combat superiority. In this sense, it is essential to establish a monitoring system that can collect, monitor, record, and analyze the data transmitted through the link in real time through computers, and display it in a data format to ensure reliable, efficient, and conflict-free transmission of data link messages. Therefore, the design of an Ethernet monitoring system should have the following functions: 1. Data acquisition: Capture multiple interface packets on Ethernet; 2. Decoding and display: Decode and display data and analysis results in various graphs and tables according to user needs; 3. Data processing: Classify, count, analyze, store, and replay received data packets according to attributes such as type, size, and content; 4. Data filtering: Set certain filtering conditions as needed during acquisition, display, and statistics. 3.2 System Scheme Design The data link terminal equipment mainly consists of a data processor, a joint information distribution system terminal, an antenna, etc. It can be configured on command platforms of different levels of various military branches as needed. Its composition is shown in Figure 1 (data link terminal part): [align=center] Figure 1 Block diagram of data link terminal and Ethernet monitoring system[/align] The data processor is the core of the data link terminal equipment, which is equivalent to a translator. All data packets flowing through the data link must be processed by it. Therefore, by mirroring the switch port connected to the data processor to the port connected to the network monitoring system and collecting all information entering and leaving the data processor, the purpose of monitoring the data link can be achieved. The monitoring system is designed based on the above ideas, as shown in Figure 1. The basic workflow of the system is described as follows: (1) The packet capture subsystem intercepts the data packets transmitted on the mirror port, stores them in the database, and sends them to the decoding and analysis subsystem for processing; (2) The decoding and analysis subsystem reads the intercepted data packets in real time, parses the source address, destination address, port information, protocol information and other information elements of the data packets, as well as the command information, situation information and other combat elements carried in the data packets, and classifies, counts and analyzes them according to the data packet type, size, content and other attributes; (3) The display subsystem displays the various information elements and combat elements decoded by the decoding and analysis subsystem in real time; (4) When the user plays back historical data through the interactive interface of the display subsystem, the display subsystem retrieves the requested data packets from the database, sends them to the decoding and analysis subsystem for decoding and display. 4 Implementation of Data Link Ethernet Monitoring System The data link Ethernet monitoring system is implemented in three subsystems: packet capture, decoding and analysis, and display. This paper designs and develops the system based on Visual C++ 6.0 on the Windows 2000 platform. For the display subsystem, the implementation technology is relatively mature at present. This paper will focus on discussing the packet capture and decoding and analysis subsystems. 4.1 Network Packet Capture Based on NDIS's Core-State Packet Filtering Technology This technology boasts high structural integrity and scalability. Its intermediate layer driver sits between the Miniport driver (data link layer) and the Protocol driver (network layer), through which all data packets sent to and received from the network pass. Therefore, the intermediate layer driver can filter and process all network data packets. Consequently, the NDIS intermediate layer driver is an ideal choice for implementing Ethernet monitoring. This paper uses Microsoft's Driver Development Kit (DDK) for NDIS intermediate layer driver programming. The specific process is as follows: (1) The NDIS driver calls the NdisMinitializeWrapper function in the main entry function DirverEntry to register the output function set entry and obtain the device handle; (2) Input the handle obtained in (1) and call NdisIMRegisterLayeredMiniport to register a set of Miniport callback functions for the NDIS intermediate layer driver. In this way, the upper layer Protocol protocol will consider the intermediate layer driver to be a network card and call these callback functions through the NDIS library; (3) Call NdisRegisterProtocol to register a set of Protocol callback functions for the NDIS intermediate layer driver. In this way, the lower layer network card will consider the intermediate layer driver to be a protocol and call these functions through the NDIS library; (4) When the operating system discovers the NIC, NDIS calls the ProtocolAdapterBind function registered by the intermediate layer driver. This function needs to call NdisOpenAdapt to open the adapter, which ensures the binding relationship between the network card and the intermediate layer; (5) Call PtReceivePacket to receive the data packets received by the network card; (6) The data packet is compared with the set filtering rules. If the rules are not met, the function is called to return NDIS_STATUS_NOT_ACCEPTED. This macro is defined in ndis.h, thus ending the call of this receiving function. Given the special application requirements of tactical data links, ensuring the stable and efficient operation of the surveillance system is crucial. However, the traditional NDIS intermediate layer driver packet capture algorithm directly processes data packets in the function corresponding to the entry point. When the data volume is large, it will exhaust the receive buffer space of the NIC driver, causing input/output blocking, reducing the ability of the lower-layer NIC to receive data packets from the network, and seriously affecting system performance. To improve the system's processing efficiency, when operating the network adapter, it should be ensured that the system has sufficient buffer space in the network adapter's interface system. The intermediate layer driver does not directly process data packets in the function corresponding to the entry point, but instead calls PtReceivePacket to receive the packets and directly sends them to the reserved memory buffer, waiting for the upper-layer program to process them, and then returns to the function as soon as possible. This processing scheme not only prevents blocking but also allows data packet capture and upper-layer program processing to work in parallel, improving the efficiency of network packet capture. Based on the above idea, during the initialization of the intermediate layer driver, one memory buffer queue for receiving data packets and one memory buffer queue for sending data packets are first established, and a kernel thread is created. When there is data in the sending data packet queue that needs to be processed, the kernel thread is notified to buffer the data packets input from the lower layer in the memory buffer for receiving data packets. When the upper layer program is idle, the kernel thread is notified to read the data packets in the memory buffer and release the occupied receiving buffer space. The algorithm description flow is shown in Figure 2: [align=center] Figure 2 Flowchart of Network Packet Capture Algorithm[/align] 4.2 Decoding and Analysis Through network packet capture, all data packets of interest to users on the data link are obtained. Faced with these data packets, decoding and analysis are necessary to transmit useful information to users. However, data link systems vary in architecture and protocol format, and a single decoding mechanism is not applicable. A decoding model that is universal for various protocol formats is required. On the other hand, the special application requirements of the data link monitoring system not only require the decoding and analysis subsystem to decode and display information elements such as source address, destination address, port information, and protocol information of the data packets, but more importantly, it also requires decoding and displaying combat information such as command information and situational information carried by the data packets. First, the information elements of the captured data packets are decoded. The data packets read by the decoding and analysis subsystem from the packet capture subsystem are Ethernet frames. To decode and analyze them, it is necessary to understand the frame structure of the Ethernet frame (as shown in Figure 3). When data is transmitted over the network, it is passed from the application to a protocol stack. As the data is passed down layer by layer on the stack, the corresponding protocol at each layer encapsulates the data passed down from the previous layer into its own format. For details, please refer to "TCP/IP Illustrated". Packet decoding is to obtain information elements such as address information, port information, and packet type information through these formats. [align=center]Figure 3 Ethernet Frame Structure[/align] The application data segment is obtained through the above decoding. The use of bit-oriented messages is one of the most prominent features of US military tactical data link messages. In data link Ethernet, the application (mainly various data link protocols) encapsulates combat information and headers into application data. Each message contains one or more messages, and each message contains one or more message words. Tactical information is encapsulated in message words according to the message format. The message format varies depending on the data link used. This paper establishes an XML data description file based on the data link message standard description database and provides it to users in the form of a function call interface. The combat information in the message is logically divided into various elements, and each element is the smallest decoding unit during decoding. At the start of decoding, the decoding model extracts the message series identifier and message identifier, i.e., the message format of the data link being decoded and the label of the currently decoded message. These are compared with the message database in the XML data description file to perform message decoding. Using XML files facilitates the revision of message standards. When the standard is revised, only the XML file needs to be modified; the decoding source program does not need to be modified to adapt to actual needs, greatly simplifying the system implementation and maintenance. The specific algorithm flow is shown in Figure 4: [align=center] Figure 4 Combat Information Decoding Algorithm Flowchart[/align] 5 Conclusion The author's innovation lies in: through analysis and research of the US military data link technology standards, combined with military needs, designing and proposing an Ethernet-based data link monitoring system. From a practical implementation perspective, the powerful and promising NDIS middleware driver is used to capture packets, and performance optimizations have been made; an XML data description model based on the data link message standard description database is used to decode various tactical messages. The system proposed in this paper has significant reference value and practical implications for the further development of data links: 1. It can improve the efficiency of overall data link planning and design, providing reliable and powerful technical support for system testing and performance testing during joint commissioning; 2. After the troops realize data transmission command, the real-time display and data playback functions of the monitoring system can be used to analyze and study the coordination between various combat units and command and control units, which is conducive to timely problem detection, improving the effectiveness of daily training, and ensuring the reliability of the link during wartime; 3. It displays data packet information and link information of interest to users through a visual graphical window and a flexible interactive interface, facilitating interactive operation by network administrators and operators. Developing an Ethernet-based data link monitoring system is a very complex task, especially considering the issues of data link collaborative interconnection and system reliability. Further research will be conducted on collaborative interconnection and reliability in the future. References 1 Huang Lieyan, Wei Jiaolong. Construction and enlightenment of US military data link. Ship Electronic Engineering, Vol.25, No.2, 2005:29-32 2 Liu Hongjun, Xu Yongsheng. US military tactical data link message format and its characteristics. Journal of China Academy of Electronics Science, Vol.1, No.3, 2006:291-295 3 Stevens W R. TCP/IP Illustrated. Beijing: Machinery Industry Press, 2000 4 Microsoft DDK For Windows 2000 Documentation, 2000 (8) 5 Microsoft Co. Windows 2000 Driver Development Guide: Volume 1 Design Guide [M]. Translated by Feng Boqin. Beijing: Machinery Industry Press, 2001 6 Hou Gonghua, Zhao Yuandong. Research and design of packet filtering based on NDIS intermediate layer. Microcomputer Information, 2006, 12-3:141-143