I encountered Intranet ARP several times at work. The search method is analyzed as follows:
When several servers in a CIDR block cannot access the Internet, it may be an intranet ARP attack. telnet to the layer-3 switch immediately (the layer-2 switch does not work) and use show arp (dis arp for Huawei devices) you can see that the MAC addresses of several IP addresses are the same. After you write down these IP addresses, use the show logging command (dis logbuffer for Huawei devices) to view the logs. You will find that there is no log error for one of the IP addresses; this IP address is the initiator of the Intranet ARP, and immediately takes measures (shutdown the port connecting to this IP address on the switch or directly shut down the server of this IP address to check and kill ARP before inserting the network cable for power-on ).
If a server often has Intranet ARP, you can consider dividing a VLAN for the server to block its impact on the entire network segment, and then completely process it.
It can also be used to capture packets on a PC after a port image is created. However, I don't think the above method can be used to perform fast. If you do not have a network environment with a layer-3 switching device, you can capture packets and analyze the packets on your PC.