How to identify from a Windows computer the wireless device that is poisoning router?
Can you (temporarily) enable MAC filtering on the Wifi?
With that, you should be able to whitelist one MAC at a time and see which one is the culprit.
For what it's worth, I would suspect someone is running BitTorrent or something similar.
Even when (some of the) other answers are more practical to find your problem, as long as the original question request something like "How to find and ARP poisoning running?", I am going to give an easy-to-apply in a few steps method to detect ARP Poisoning valid for any Windows version extracted from a generic (non-WiFi), faster and simpler method here.:
If you suspect about ARP Poisoning happening only for WiFi , the usual first method is to check if your ARP table changes the Physical Address value (at least the value of your router, for example: 192.168.0.1) after 1-2 minutes of switching to WiFi mode from cable network mode.
Try these steps:
1.- Switch to non-poisoning scenario: Turn Off WiFi in your router.
2.- Open Shell as Administrator:
cmd
3.- Check ARP Table:
c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address Type
192.168.0.1 00-24-a5-0e-a8-42 dynamical
192.168.0.102 50-e5-49-c5-47-15 dynamical
192.168.0.107 00-17-31-3f-d3-a9 dynamical
4.- Switch to posible-poisoning scenario: Turn ON WiFi in your router.
5.- Clear ARP Cache (Administrator shell required):
arp -d -a
6.- Wait 1-2 minutes (to make sure network traffic has started the poisoning).
7.- Check again ARP Table:
c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address Type
192.168.0.1 00-17-31-3f-d3-a9 dynamical
192.168.0.102 50-e5-49-c5-47-15 dynamical
192.168.0.107 00-17-31-3f-d3-a9 dynamical
Compare with the other one. If the physical address (AKA as MAC) of your router has changed, then you have some ARP Poisoning in the scene.
To know who is sending the poisoning search for duplicates in the rest of the ARP Table (in the above-shown example, 192.168.0.107 is the poisoner). Explanation: the ARP poisoner device tells to all the network (LAN) something like "I am the router now".
One way to fix the issue is to turn off each device sequentially until the problem is gone. As soon as your ping rate drops to an acceptable level, you've found your culprit.
You could also turn on MAC filtering and add each device one by one as an alternative to turning the devices off. This would essentially block them one by one. Again, as soon as the levels drop to normal, you've found the resource hog.