diff --git a/pkg/agent/openflow/packetcapture.go b/pkg/agent/openflow/packetcapture.go
index a1fd346af63..e2ac65620da 100644
--- a/pkg/agent/openflow/packetcapture.go
+++ b/pkg/agent/openflow/packetcapture.go
@@ -113,19 +113,39 @@ func (f *featurePacketCapture) genFlows(dataplaneTag uint8,
 				flowBuilder = flowBuilder.MatchDstIP(packet.DestinationIP)
 			}
 		} else {
+			// handle pod -> svc case:
 			// generate flows to endpoints.
 			for _, epPacket := range endpointPackets {
 				tmpFlowBuilder := ConntrackStateTable.ofTable.BuildFlow(priorityHigh).
 					Cookie(cookieID).
 					MatchInPort(ofPort).
 					MatchCTStateTrk(true).
+					Action().LoadRegMark(RewriteMACRegMark).
 					Action().LoadToRegField(PacketCaptureMark, tag).
 					SetHardTimeout(timeout).
-					Action().GotoStage(stagePreRouting)
+					Action().GotoStage(stageEgressSecurity)
 				tmpFlowBuilder.MatchDstIP(epPacket.DestinationIP)
 				flow := matchTransportHeader(packet, tmpFlowBuilder, endpointPackets).Done()
 				flows = append(flows, flow)
 			}
+
+			// capture the first tracked packet for svc.
+			for _, ipProtocol := range f.ipProtocols {
+				tmpFlowBuilder := ConntrackStateTable.ofTable.BuildFlow(priorityHigh).
+					Cookie(cookieID).
+					MatchInPort(ofPort).
+					MatchProtocol(ipProtocol).
+					MatchCTStateNew(true).
+					MatchCTStateTrk(true).
+					Action().LoadRegMark(RewriteMACRegMark).
+					Action().LoadToRegField(PacketCaptureMark, tag).
+					SetHardTimeout(timeout).
+					Action().GotoStage(stagePreRouting)
+				tmpFlowBuilder.MatchDstIP(packet.DestinationIP)
+				tmpFlowBuilder = matchTransportHeader(packet, tmpFlowBuilder, nil)
+				flows = append(flows, tmpFlowBuilder.Done())
+			}
+
 		}
 	} else {
 		flowBuilder = L2ForwardingCalcTable.ofTable.BuildFlow(priorityHigh).
@@ -142,25 +162,6 @@ func (f *featurePacketCapture) genFlows(dataplaneTag uint8,
 		}
 	}
 
-	// for sender only case, capture the first tracked packet for svc.
-	if senderOnly {
-		for _, ipProtocol := range f.ipProtocols {
-			tmpFlowBuilder := ConntrackStateTable.ofTable.BuildFlow(priorityHigh).
-				Cookie(cookieID).
-				MatchInPort(ofPort).
-				MatchProtocol(ipProtocol).
-				MatchCTStateNew(true).
-				MatchCTStateTrk(true).
-				Action().LoadRegMark(RewriteMACRegMark).
-				Action().LoadToRegField(PacketCaptureMark, tag).
-				SetHardTimeout(timeout).
-				Action().GotoStage(stagePreRouting)
-			tmpFlowBuilder.MatchDstIP(packet.DestinationIP)
-			tmpFlowBuilder = matchTransportHeader(packet, tmpFlowBuilder, nil)
-			flows = append(flows, tmpFlowBuilder.Done())
-		}
-	}
-
 	if flowBuilder != nil {
 		flow := matchTransportHeader(packet, flowBuilder, nil).Done()
 		flows = append(flows, flow)