I can compile on Debian 4.0 i386, CentOS 5.1 x86_64, and OpenSUSE 10.3 x86_64 using the notes below. Linux ncaptool HOTWO: 1. Pre-requisites: For each of the operating systems, I downloaded the boot CD and installed over the network on my Dell Pentium D (x84) desktop with a minimal server configuration. Most people probably install developer tools on their boxes, but I don't make that assumption. 1.1 Debian Etch 4.0 After a fresh workstation install, I'd edit /etc/apt/sources.list to make sure I can download packages from the net. I'd then make sure the following developer tools were installed: apt-get install build-essential libpcap0.8-dev libbind-dev 1.2 CentOS 5.1 CentOS auto-configures yum to . After a minimal base install, I downloaded some developer tools: yum install gcc libgcc libpcap-devel 1.3 SUSE After a minimal install of SUSE, I needed the following packages: yast -i make gcc cvs libpcap-devel wget groff I also need a text editor. My choice was "vim". 1.4 Others When compiling on Linux, make sure you have a good development environment where make and gcc work and you have libaries and headers for pcap. If your distribution doesn't have a libpcap-devel package, you can go to http://www.tcpdump.org and download and install libpcap. If you can build tcpdump from source, you're in good shape. 2. BIND prerequisite The dns debugging feature in ncaptool needs libbind.a. The easiest way to get one is to download a fresh copy of BIND and recompile in a temporary location: cd /var/tmp rm -rf bind-9.4.2 wget ftp://ftp.isc.org/isc/bind9/9.4.2/bind-9.4.2.tar.gz tar -xzf bind-9.4.2.tar.gz cd bind-9.4.2 ./configure --enable-libbind --prefix /var/tmp/bind make rm -rf /var/tmp/bind make install On Debian sytems, you can ignore the above and use the libbind-dev package instead. 3. Installing ncaptool Get ncap from OARC: cd /var/tmp rm -rf ncap cvs -q -d :pserver:anonymous@cvs.oarci.net:/proj/cvsroot login # (press return for an empty password) cvs -q -d :pserver:anonymous@cvs.oarci.net:/proj/cvsroot get ncap cd ncap Edit the Makefile. Look for the word "Linux" and set the following variables near that location: PORTLDFLAGS= -L/usr/local/lib PORTLIBS= -lrt BINDCFLAGS= -I/var/tmp/bind/include BINDLDFLAGS= -L/var/tmp/bind/lib Comment out the -lthr line for FreeBSD: #PORTLIBS= -lthr Then: make make install On Debian, you should use the Makefile.debian file instead: make -f Makefile.debian make -f Makefile.debian install Make sure your program runs: /usr/local/bin/ncaptool -h To test it, sniff your ethernet interface (eg: eth0) for packets: #!/bin/bash ncaptool -fmv -i eth0 -g - -b "udp src port 53" & dig www.isc.org a >/dev/null sleep 1 kill %1 Example output from ncaptool: [45 pcap if eth0] 2008-04-26 01:33:14.293492000 [00000000 00000000] \ [198.6.1.3].53 [172.16.26.104].32768 \ dns QUERY,NOERROR,11456,qr|rd|ra \ 1 www.isc.org,IN,A \ 1 www.isc.org,IN,A,445,204.152.184.88 0 0 Because libbind.a was compiled into ncaptool, you can remove BIND 9.4.2: rm -rf /var/tmp/bind /var/tmp/bind-9.4.2* You can remove /var/tmp/ncap or move it somewhere more permanent.