After a lot of testing with different lib and radio driver, together with @Florenc Caminade, we managed to capture and send ESP now packet! And it turns out to be quite simple, we just use linux sockets to send and receive packet. The tricky part was to generate a legit packet the card would accept and transmit as a vendor specific action frame. We had to include a radiotap header...

At the moment, packets are hard coded raw data, so it will only work if your ESP has the same MAC address, and it will send always the same data.. So not very useful but a good proof of concept

The code is on GitHub: https://github.com/thomasfla/Linux-ESPNOW/ and need a bit of cleaning.

To test it, you have to use this MAC address:

ESP: 84:F3:EB:73:55:0D
PC:  F8:1A:67:B7:EB:0B

you also have to set your interface in monitor mode, and it has to support packet injection.

compile and run using:

cd wifiRawSender/
make
sudo ./bin/sender wlan0

 where wlan0 is your interface up in monitoring mode (same applies for receiver example).

What's next?

• Generate or parse the packets (Host MAC, Destination MAC, Payload and payload size, ...)
• Simplify the radiotap header
• Find an efficient way to implement a MAC filter in monitoring mode
• Write a clean library
• Measure the round-trip time

Notes:

About the ACK behavior, I switch to an other wifi interface that does send ACK in monitoring mode !
I did not find if and where this is documented. For my application I don't mind to use a specific card.