One problem seems to be that the empeg's bootp request has the "broadcast bootp flag" set, so the server must use broadcast when replying.. and that reply then gets picked up by all other empegs on the subnet.
Most of the other DHCP clients here do not set that bit, so the server sends a targeted response to them.
I could try having Hijack clear that bit on the outgoing packet, and see if the empeg copes with it.
Hmmm... I do remember now that we set that bit for a reason -- we found a situation (perhaps it was a particular server) where it didn't work without the "broadcast replies" bit set. Still, that was the last remaining bit of the puzzle. You'll notice that your captured packets 3 and 8 (OFFER replies from the server aimed at the two clients) have the same xid in (Wireshark: "Transaction ID"), but different chaddr (Wireshark: "Client MAC address"). The Empeg, utterly incorrectly, matches on the former but not the latter.
So I suspect that checking incoming UDP to port 68 (bootpc) and dropping on the floor (or scrambling the xid of) packets whose chaddr isn't ours,
would fix the problem.
Peter