Leave curl in a loop and verify that it is in fact sending http requests to one of those. If not, try to figure out where it ends up, maybe it's redirected to something like 127.0.0.1 and some port, in which case "lsof -i" should also show what is listening on that ip/port
@angristan Last suggestion I can think of on the fly is running "sudo ipfw list". Which should list current firewall rules on macOS. If some application is redirecting/hijacking http requests, it's probably been done using ipfw
@angristan Did you try to use wireguard and filter by TCP and port 80?
Unfortunately if your http stuff is being redirected, it might not show up if you use ip.dst to filter. You might also have to monitor your loopback interface (or all interfaces) rather than your ethernet interface