I can compile on Debian 4.0 i386, CentOS 5.1 x86_64, and OpenSUSE 10.3 
x86_64 using the notes below.


Linux ncaptool HOTWO:

1. Pre-requisites:

For each of the operating systems, I downloaded the boot CD and
installed over the network on my Dell Pentium D (x84) desktop
with a minimal server configuration.  Most people probably install
developer tools on their boxes, but I don't make that assumption.

1.1 Debian Etch 4.0

 After a fresh workstation install, I'd edit /etc/apt/sources.list to make
 sure I can download packages from the net.  I'd then make sure
 the following developer tools were installed:
   apt-get install build-essential libpcap0.8-dev libbind-dev

1.2 CentOS 5.1

 CentOS auto-configures yum to .  After a minimal
 base install, I downloaded some developer tools:
   yum install gcc libgcc libpcap-devel

1.3 SUSE

 After a minimal install of SUSE, I needed the following packages:
   yast -i make gcc cvs libpcap-devel wget groff

 I also need a text editor.  My choice was "vim".

1.4 Others

When compiling on Linux, make sure you have a good development
environment where make and gcc work and you have libaries and
headers for pcap.  If your distribution doesn't have a libpcap-devel
package, you can go to http://www.tcpdump.org and download and install
libpcap.  If you can build tcpdump from source, you're in good shape.

2. BIND prerequisite

The dns debugging feature in ncaptool needs libbind.a.
The easiest way to get one is to download a fresh copy
of BIND and recompile in a temporary location:
  cd /var/tmp
  rm -rf bind-9.4.2
  wget ftp://ftp.isc.org/isc/bind9/9.4.2/bind-9.4.2.tar.gz
  tar -xzf bind-9.4.2.tar.gz
  cd bind-9.4.2
  ./configure --enable-libbind --prefix /var/tmp/bind
  make
  rm -rf /var/tmp/bind
  make install

On Debian sytems, you can ignore the above and use the libbind-dev package
instead.  

3. Installing ncaptool

Get ncap from OARC:

  cd /var/tmp
  rm -rf ncap
  cvs -q -d :pserver:anonymous@cvs.oarci.net:/proj/cvsroot login
  # (press return for an empty password)
  cvs -q -d :pserver:anonymous@cvs.oarci.net:/proj/cvsroot get ncap
  cd ncap

Edit the Makefile.
Look for the word "Linux" and set the following variables near
that location:
  PORTLDFLAGS= -L/usr/local/lib
  PORTLIBS= -lrt
  BINDCFLAGS= -I/var/tmp/bind/include
  BINDLDFLAGS= -L/var/tmp/bind/lib

Comment out the -lthr line for FreeBSD:
  #PORTLIBS= -lthr

Then:
  make
  make install

On Debian, you should use the Makefile.debian file instead:
  make -f Makefile.debian
  make -f Makefile.debian install

Make sure your program runs:
 /usr/local/bin/ncaptool -h

To test it, sniff your ethernet interface (eg: eth0) for packets:
  #!/bin/bash
  ncaptool -fmv -i eth0 -g - -b "udp src port 53" &
  dig www.isc.org a >/dev/null
  sleep 1
  kill %1

Example output from ncaptool:
  [45 pcap if eth0] 2008-04-26 01:33:14.293492000 [00000000 00000000] \
      [198.6.1.3].53 [172.16.26.104].32768 \
      dns QUERY,NOERROR,11456,qr|rd|ra \
      1 www.isc.org,IN,A \
      1 www.isc.org,IN,A,445,204.152.184.88 0 0

Because libbind.a was compiled into ncaptool, you can remove BIND 9.4.2:
  rm -rf /var/tmp/bind /var/tmp/bind-9.4.2*

You can remove /var/tmp/ncap or move it somewhere more permanent.