A while back I had a mystery on my hands. I wasn’t sure if someone had gotten thru my system defenses.
This discussion covers a lot of ground using only standard tools (nothing like the battery of tools that Kali Linux offers). The nature of the symptom (unknown IP reported by arp-scan) did not reach the threshold of requiring those additional tools.
I am sure that many will benefit from a review of the discussion posted here (Note: the title is somewhat misleading):
Hi Eric,
I might be saying something stupid here (forgive me if I do) and I might be completely wrong,
but have you tried open a browser and visit:
http(s)://192.168.0.254 ?
There is a chance that that address is just the admin-webinterface that you usually use to, for instance, view which IP addresses have been assigned to your computers (you showed a screenshot of the webinterface in that thread).
The IP address 192.168.0.254 is often used for that. As far as I could see, nobody in that thread mentioned it.
On my modem/router it is exactly that. The gateway is on a different address, usually 192.168.0.1
Again, sorry if I got completely off the rails here.
That was the first thing I tried (both with and without secure mode). 
The admin login, as “stamped” on the back of the firewall router, is
https://192.168.0.1/login.html
So, not offended by the question, just not the explanation! 