How to find the process which causes the arp request?

This behavior is very common when you have a DHCP server running. The server probes addresses in the lease range to see which of them are free. There are also other network monitoring solutions that uses ARP to track which addresses are in use on a network.

As far as I know there is no system in Unix like systems to see which program initiates an arp request. You could possibly strace/ktrace/dtrace to find the system call.

In the end I would not worry too much about it. Large amount of ARP packets can cause problems, but only when it gets into the 1000pps range. A few packets a second is nothing to worry about.

ARP requests on a router is expected behaviour. ARP requests are used so the router knows the next hop address on the network for a particular route. Its basic job is to map an IP address to a MAC address.

From the sample you have provided above, it doesn't look like it is ARP'ing excessively.

If the ARP packets originate from a Linux box you can try generating a generous amount of iptables rules with --pid-owner XXX option (matches if pid of the process creating the packet is XXX; you'd have to cover a large range of pid numbers) and hope that the process that actually sends packets isn't a short-lived spawn of something else.

Alternatively, you could use (much fewer) --uid-owner XXX options to find the uid of the owner of the process that sent the packet.

On a tangent, if 211.123.123.242 is your gateway and it looks for MAC addresses corresponding to various IPs from this network, then it may have some packets to deliver from outside the network. Who and why tries to communicate with non-existing addresses may be actually more interesting thing to investigate, than hunting for the originator of ARP requests on the gateway box.