If /var/arpwatch/arp.dat is missing, arpwatch will die with a
success error code (init.d/arpwatch starts shows OK).
Either arp.dat should be created in the RPM, arpwatch made to create it if necessary
or die in a more graceful manner. E.g.:
Oct 12 23:58:27 haukka arpwatch: fopen(arp.dat): No such file or directory
Oct 12 23:58:27 haukka kernel: eth0: Promiscuous mode enabled.
Oct 12 23:58:27 haukka kernel: device eth0 entered promiscuous mode
Oct 12 23:58:27 haukka kernel: device eth0 left promiscuous mode
Here's what's in the tcpdump spec file (for the arpwatch sub-package)
and here's what's in the arpwatch package itself
-rw-r--r-- 1 root root 0 Oct 12 10:04
Dunno what else needs to be done.
sometimes, arp.dat get deleted.
You need to touch it and change the user to pcap, in RH9, do this:
# touch /var/arpwatch/arp.dat
# chown pcap.pcap /var/arpwatch/arp.dat
the file arp.dat is included in the arpwatch rpm