What is the technical reason that tcpdump does not capture container packets from host?

I’ve tried tcpdump a few times and it seems that it cannot capture packets from docker containers. There are a bunch of How can I capture packets questions. Often the answer is to use a sepearte tcpdump container within the same network as the container I want to capture the traffic. But none answers the questions why do I need this anyway?

I’m not sure, but I think docker does some iptables magic, so I thought maybe this is the problem, but here it is mentioned that tcpdump can capture traffic before iptables is doing its stuff.

So, what is the reason, that a command like this tcpdump -i any tcp port 80 on the host shows nothing or with tcpdump -i any there is too much traffic and from what I saw, there is nothing relevant. It either doesn’t work with an IP of the container tcpdump -i any host 10.0.32.198.

I tried the docker0 interface, or docker_gwbridge.

None is working as expected.
If I use a separate container, like docker run --rm -it --net container:some-container-name nicolaka/netshoot with the command tcpdump -i any -s0 -x -X port 80 it works.

Many thanks for your insight and time.