Using ARP pollution to pinpoint misconfigured network devices

This article will outline how to use ARP pollution to pinpoint misconfigured network devices.  We will use only free software. 
ARP is the protocol TCP/IP uses to find devices in the same VLAN or Broadcast zone.  Ideally the only ARP traffic in a VLAN is that of the same IP addressing scheme otherwise it would not be able to reach the default gateway for the VLAN.

Preparations:
-Configure a switch port with only a single untagged VLAN on it as WinPcap will capture tagged data and this will be confusing.
-Install Wireshark on a windows workstation is easiest, it will install WinPcap as well.
-download agrep for windows, put it somewhere in the path, I renamed mine to just grep as that's what i'm used to

after we are done all that prep we are going to run a command that looks like this
C:\Program Files\Wireshark\tshark.exe -c 100 -f arp | agrep -v (you network prefix)

the network prefix on your ip addresses will look something like this
10.1.1.  or 192.168.0.  or 172.30.0.


this is going to start the command line version of wireshark, capture 100 packets that are of type ARP and display on the packets that don't match your network prefix ie

when i do this I find that there is a network sniffing device that mistakenly has TCP/IP and DHCP enabled on the sniffing interface and it has confiscated the first DHCP offer that it saw while sniffing.  The sniffing port has multiple VLANs, if it grabs a DHCP address from the untagged VLAN I will have an IP address conflict, but the first offer it saw was from the tagged VLAN so I see it broadcasting on the wrong VLAN.