Which tool is commonly used to monitor ARP activity for spoofing detection?

ARP spoofing happens when an attacker sends forged ARP information on a local network, causing traffic to be misdirected. To defend against this, you need a tool that watches the actual ARP traffic on the network segment and tracks the IP-to-MAC mappings over time, so it can spot unexpected changes and raise an alert. ARPwatch does exactly that: it passively monitors ARP requests and replies, builds a record of which MAC address is associated with each IP on the network, and flags anomalies such as the same IP appearing with a different MAC or a single MAC claiming multiple IPs. This makes it possible to detect ARP cache poisoning as soon as it happens and respond accordingly. The other options aren’t tailored for this purpose. Nmap is a scanning tool used to discover hosts and services, not to monitor ongoing ARP activity. Ping is an ICMP-based utility for checking reachability, not for mapping or verifying ARP associations. Netstat shows current network connections and listening ports, not ARP table changes on the LAN. ARPwatch is designed specifically to monitor ARP activity to detect spoofing, making it the best choice here.