The tool described is most consistent with Bettercap. Bettercap is a lightweight, extensible framework commonly used in controlled security testing for man-in-the-middle (MITM) operations on local networks. It supports ARP spoofing/ARP poisoning to position the attacker between victims and gateways, enabling interception of traffic. It also supports DNS manipulation/spoofing (e.g., redirecting domain lookups to attacker-controlled destinations) and packet injection capabilities for modifying or inserting traffic. Importantly, it provides an interactive interface that allows real-time session visibility and control, which matches the scenario’s emphasis on interactive monitoring while intercepting internal web application traffic.

The objective described—capturing and manipulating session tokens in transit—is consistent with a MITM platform that can observe HTTP traffic (or influence traffic where TLS is not properly enforced or where testing includes trusted certificates in a lab). Bettercap’s design as an “all-in-one” local network attack and monitoring tool makes it a typical choice for demonstrating risks from weak network segmentation, insecure DNS, lack of HTTPS/HSTS, or insufficient endpoint protections against ARP spoofing.

Why the other options are less suitable:

Wireshark (A) is primarily a packet analyzer/sniffer; it does not inherently perform ARP spoofing, DNS manipulation, or injection as an active MITM tool.

Hetty (B) and Caido (C) are web-focused interception/testing tools (proxy-style workflows). They can intercept HTTP/S when configured as a proxy, but they do not natively specialize in LAN-layer ARP spoofing and DNS manipulation for transparent MITM in the same way as Bettercap.

Therefore, the most likely tool is D. Bettercap.