I want to try and do a script that will detect devices that distribute incorrect mac address detail in "fraudulent ARP packets" and add their addresses to a blacklist.

The idea is that the script will sniff arp packets and if the reply-mac address is different to the known mac address for the default gateway the associated IP address wil be blacklisted.

I looked at /tool mac-scan as a possible option to inspect the mac-address/ip-address pairs. If I then detect any false information with mac-scan the idea is to start the packet sniffer and find the illegitimate address.

Has anybody else done scripting to do something similar or have any other suggestions how to achieve this?

I have not made any significant progress with my idea of the script but I have solved my problem in the sense that the hacker is no longer able to "steal" sessions with arp spoofing as per the detail of the following post:

http://forum.mikrotik.com/viewtopic.php?f=2&t=30182