A couple of corrections...

It is possible to do this with only one NIC. The difficulty lies in sending the appropriate ARP replies to the appropriate hosts. A basic "change my mac address" will work only with two cards. The victim machines may still be responding to ARP requests, which presents other problems. If the victims react to unsolicited ARP replies, and theirs gets to the other victim last, you're out of luck. A more effective way is to simply send an unsolicited ARP reply to the victims. Most will simply update their tables. These packets can then be resent at regular intervals to prvent the table from defaulting back to its original state. Now if the victims do *not* respond to unsolicited ARP replies, the whole thing gets turned around. Now you've got to be the first one to send the reply to the victim, after waiting for a request. This can sometimes be tricky depending on network architecture and layout. Your attack may also be intermittent if the correct replies (i.e, not yours) get to the victims from time to time.

Also, tcpdump will by default only capture the first 96 bytes of packets it sees, which is enough for TCP header information. To tell tcpdump to capture the entire packets, specify the -S 0 option on the command line. This will set the snaplength (normaly the number of bytes per packet to capture) to 0, which tcpdump interprets as "capture the whole thing".

Otherwise, it was a very good tutorial.