Hikvision device discover via SADP over SSH

Hikvision SADP is a useful tool which allows to control and active NVR devices within a local network. Unfortunately it is not so useful when dealing with remote devices.

Although there is a small trick. SADP uses a multicast address and a UDP port 37020 for sending and receiving control packets to/from Hikvision devices. This info can be used to create a listening socket on a device within the same network as a host running SADP that will forward these packets to remote networks without setting up multicast routing.

Let’s consider the following topology for our example:

We can create a TCP tunnel over SSH and use it to send out multicast requests to the necessary subnet behind Router B. To accomplish this we would need to:

1. Setup an SSH tunnel from Router A to Router B with local Port binding:

ssh user@routerB -L

2. Setup a local UDP multicast receiver on Router A with forward to the TCP tunnel:

socat -T15 udp4-recvfrom:37020,ip-add-membership=,reuseaddr,fork tcp:localhost:7999

3. Setup a TCP receiver with forward to UDP multicast on Router B

socat tcp4-listen:7999,reuseaddr,fork udp4-datagram:,bind=:37020,ip-add-membership=,sourceport=:37020,bindtodevice=eth2


1. If you are using firewalls, we need to setup rules for Multicast and port listening. An example for IPTABLES:

iptables -I INPUT -p udp –dport 37020
iptables -I INPUT -p tcp –dport 7999
iptables -I INPUT -d -j ACCEPT
iptables -I INPUT -s -j ACCEPT

2. We also would need to setup a multicast route for Router B, so traffic gets sent to the appropriate interface.

route add eth2