If /var/arpwatch/arp.dat is missing, arpwatch will die with a success error code (init.d/arpwatch starts shows OK). Either arp.dat should be created in the RPM, arpwatch made to create it if necessary or die in a more graceful manner. E.g.: Oct 12 23:58:27 haukka arpwatch: fopen(arp.dat): No such file or directory Oct 12 23:58:27 haukka kernel: eth0: Promiscuous mode enabled. Oct 12 23:58:27 haukka kernel: device eth0 entered promiscuous mode Oct 12 23:58:27 haukka kernel: device eth0 left promiscuous mode
Here's what's in the tcpdump spec file (for the arpwatch sub-package) %config %{_vararpwatch}/arp.dat and here's what's in the arpwatch package itself -rw-r--r-- 1 root root 0 Oct 12 10:04 /var/arpwatch/arp.dat Dunno what else needs to be done.
sometimes, arp.dat get deleted. You need to touch it and change the user to pcap, in RH9, do this: # touch /var/arpwatch/arp.dat # chown pcap.pcap /var/arpwatch/arp.dat the file arp.dat is included in the arpwatch rpm