I made a patch for arpwatch-2.1a10 that allows it to drop root privileges
after opening (pcap_open_live) socket. I'm attaching the patch in case
you are interested (it adds -u command line parameter).
I'm also attaching a man page patch (by Pekka Savola) that describes
the -u parameter.
Created attachment 4613 [details]
Patch for arpwatch-2.1a9 to drop root privs after init.
Created attachment 4614 [details]
Arpwatch man page patch.
Request for inclusion of this patch strongly seconded.
Fixed (patches added) in tcpdump-3.4-32.
However arpwatch still runs as root - as stated in bug 21737 a new user/group
needs to be added for arpwatch to use.