ettercap can decrypt SSH1, which is a very good reason to never enable SSH1 on your boxen.

arpwatch is a great tool for detecting active ARP poisoning attacks on your network (and possibly your external network, say to keep your ISP's router IP from being faked (although that can cause problems if your ISP uses IP-failover technology).

Well, could the arpwatch be run by the same host that the ettercap is run?

Then, everyone that is plugged to an untrasted network should run arpwatch to check if his network is currently safe to start some sessions, unsafe ftp connections.

Is that a reasonable policy for self-security?

The title of your original question mentioned 'man in the middle' attacks. This is different than sniffing. Suppose that you are going to connect to your work computer from home. Suppose that you decide to use ssh2 to be secure. You haven't done this before, so you don't have the public key in the ./ssh directory.
What you don't know is that a hacker has been able to supply his ip address to your home computer, pretending to be your work computer. Now the initial connection is made with the hacker, who then supplies the identical information to the work computer setting up his own ssh2 connection. Now the hacker is able to tap into your traffic which is non-encrypted.
It would have been best if you would have manually added your home computer's public key to the work computer.