I'm trying to come up with something that would solve an injection attack.
The kind of arp-request overflows people usually throw at you when they want to surf the net.

I'm thinking I might be able to spot the extreme arp activity and just go ifdown eth1 and switch to eth0 instead, now the script handling that is easy. Monitoring the arp activity on the other hand is something I'd like to get some help with. Wireshark perhaps but how to do I extract the data I want, what would be a forbidden value of arp requests..

Thanks guys

AFAIK there's nothing you can solve injection attacks with from your workstation, talking to this "user" might. Any hwaddr that advertises itself incessantly as another (or multiple) hwaddr is bad. If it's flooding you're concerned with then arpwatch could help notice changes in mappings. OTOH if it's poisoning (as in MITM) then setting static ARP entries for remote hwaddrs could help. If you suspect ARP malarky on a network you can't do zilch about make sure you access whatever you need to access over secure protocol versions.