Can I "listen" to the data between two devices (under my control) using a third device to get rssi?

Little confusing to me but when it comes to RSSI: it's Relative Signal Strength Indication which you can measure on any radio receiver which supports it on PHY level and provides API to it. So your device 3 can listen to any packet and measure its signal strength at its antenna. Now the question is if this is what you want;) If you want to know what is RSSI at some device which don't support propagation of this to upper layers through some API then you are obviously out of luck, you cannot assume by other device what are radio properties of another device at different position. You can imagine it like sound: if you hear some sound with certain intensity you can assume if the source was loud or not but you can only guess if I hear it because you don't know how sensitive my ears are and what is blocking the sound on way to my ear. And while with sound waves it might be possible to predict just based on look on the place topology 2.4GHz radio is much less intuitive in terms of reflections and interference. So don't assume anything like this...

Hehe, this is kind of dreamer's idea, right? Yes, nRF52 chip can be used in "raw" mode - similar to how nRF sniffer FW/app is doing it - and then you can parse and decode any packet which you get (assuming you managed to tune nRF5x receiver to the same frequency and coding so you get decoded data from Rx stage). When it comes to decoding BLE PDUs on the lowest layer there is so-called ACCESS ADDRESS which is set uniquely (= randomly:) for each connection at connection request so if you follow the connection from the very beginning you can clearly identify packets belonging to certain BLE link from other packets. The same with sides, you can easily say what is Master to Slave and what is opposite direction. That's all you need in theory but I doubt you will want to go through torture of implementing this on your own (my estimation would be many months of full-time job). Good luck.

Hehe, this is kind of dreamer's idea, right? Yes, nRF52 chip can be used in "raw" mode - similar to how nRF sniffer FW/app is doing it - and then you can parse and decode any packet which you get (assuming you managed to tune nRF5x receiver to the same frequency and coding so you get decoded data from Rx stage). When it comes to decoding BLE PDUs on the lowest layer there is so-called ACCESS ADDRESS which is set uniquely (= randomly:) for each connection at connection request so if you follow the connection from the very beginning you can clearly identify packets belonging to certain BLE link from other packets. The same with sides, you can easily say what is Master to Slave and what is opposite direction. That's all you need in theory but I doubt you will want to go through torture of implementing this on your own (my estimation would be many months of full-time job). Good luck.