Cam see finder
This turned out to be fairly easy and had the big advantage of having someone else worry about threading, networking and all the other underlying things that I didn't really care about.
I set the script to make the HTTP request to the domain then parse the result.
This is a neat idea because the cameras use a default port of 81 rather than the normal 80 and so users would have to know to add :81 to their URL which would go against the ease of use they are aiming for. If I want to see if a camera with code xxxxxx is registered I simply browse to xxxxxx.and see where I get redirected to.
If the UPn P request to that users router worked then I'll end up on the web interface for their camera.
For cameras which were registered I did a HEAD request on a password protected page that should exist on the camera if it was online.
This told me whether the camera existed or not and if it did whether it required authentication.
It isn't hard to request a bunch of URLs, ask HD Moore!
The UPn P traffic was attempting to get my router to open up a PAT hole through it, basically allowing the outside world full access to the camera's web interface - not good!
Dissecting the web traffic, that turned out to be the DDNS setup.
The device comes with a unique 6 character code which the manual says can be used for external viewing, for example if my code is abcdef then it says to browse to see my camera.
The way this is set up with the DDNS is quite interesting, rather than having the subdomain return the external IP of the camera, all subdomains resolve to the domain.
If you browse to the subdomain the page you get does a 302 redirect to the IP of the camera. Every camera which successfully registers with the service has its IP and port available to anyone who decides to query the service.