Which tool would you deploy to watch for unusual ARP traffic as part of security monitoring?

Watching ARP traffic for anomalies is best done with a tool built to monitor and alert on IP-to-MAC mappings in real time. ARPwatch continuously observes ARP packets on the local network, maintains a live database of which IP is associated with which MAC, and quickly flags changes. If a host suddenly appears with a different MAC for the same IP or a new mapping shows up, ARPwatch raises an alert, which is exactly what you want for detecting ARP spoofing or man-in-the-middle attempts. Netstat is focused on current connections and routing information, not ARP traffic across the LAN. Tcpdump can capture ARP packets, but it’s a general packet sniffer that requires additional parsing and scripting to generate ongoing alerts. Nmap is a scanning tool used for discovering hosts and services, not for monitoring ongoing ARP behavior. ARPwatch, by contrast, is purpose-built for monitoring ARP activity and alerting on suspicious changes, making it the most suitable choice for security monitoring in this scenario.