I just tested it and it works as expected. The steps I follow:
– Check ip from victim machine.
– Run the ettercap attack with all the arguments needed.
– Check on windows machine that the arp table has been modified.
– Clear browser’s cache.
– Visit http://testphp.vulnweb.com/login.php and log in.
– Credentials are displayed in ettercap.
So if the arp spoofing attack is working then you should be able to sniff credentials, you can also run wireshark in the background before visiting vulnweb page and capture all the packets, then search among the results and you should be able to find the credentials.