--- tcpdump-3.9.7/tcpdump.c.droproot	2006-09-19 21:07:57.000000000 +0200
+++ tcpdump-3.9.7/tcpdump.c	2007-07-24 16:15:54.000000000 +0200
@@ -958,6 +958,11 @@ main(int argc, char **argv)
 		(void)setsignal(SIGHUP, oldhandler);
 #endif /* WIN32 */
 
+	if (Cflag != 0 && (getuid() == 0 || geteuid() == 0)) {
+		if (username || chroot_dir)
+			droproot(username, chroot_dir);
+	}
+
 	if (pcap_setfilter(pd, &fcode) < 0)
 		error("%s", pcap_geterr(pd));
 	if (WFileName) {
@@ -999,7 +1004,7 @@ main(int argc, char **argv)
 	 * We cannot do this earlier, because we want to be able to open
 	 * the file (if done) for writing before giving up permissions.
 	 */
-	if (getuid() == 0 || geteuid() == 0) {
+	if (Cflag == 0 && (getuid() == 0 || geteuid() == 0)) {
 		if (username || chroot_dir)
 			droproot(username, chroot_dir);
 	}
--- tcpdump-3.9.7/tcpdump.1.droproot	2007-07-24 16:15:54.000000000 +0200
+++ tcpdump-3.9.7/tcpdump.1	2007-07-24 16:15:54.000000000 +0200
@@ -264,6 +264,9 @@ have the name specified with the
 flag, with a number after it, starting at 1 and continuing upward.
 The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
 not 1,048,576 bytes).
+
+Note that when used with \fB\-Z\fR option (enabled by default), privileges
+are dropped before opening first savefile.
 .TP
 .B \-d
 Dump the compiled packet-matching code in a human readable form to
@@ -592,7 +595,9 @@ Drops privileges (if root) and changes u
 and the group ID to the primary group of
 .IR user .
 .IP
-This behavior can also be enabled by default at compile time.
+This behavior is enabled by default (\fB\-Z tcpdump\fR), and can
+be disabled by \fB\-Z root\fR.
+
 .IP "\fI expression\fP"
 .RS
 selects which packets will be dumped.