I'm making application that can detact arp spoofing :]
My idea is that if there is attacker in subnet, and he tried to MITM using arp poisoning, then I exec traceroute to default gateway(or changed arp cache entry, whatever).
Cuz all my packets go through attacker's PC, so traceroute will show up some sign.
Is there any problem in my idea? Is it proper? or not?
The proper way to detect arp spoofing is with software like arpwatch.
arpwatch will see that two machines are fighting over the same IP address and notify you.
Nov 10 15:59:34 debian arpwatch: changed station 192.168.1.2 0:17:9a:b:f6:f6
(0:17:9a:a:f6:44)
If you see entries like this for your IP address, then start looking for the switchport that sources the hostile mac-address in question.
As a general answer to your question, traceroute is the wrong way to detect this. Just monitor ARPs and maintain a table of mac-address to IP mappings.
