What I have come up with so far is that the Neato it self is running a websocket server on port 8081 - and uses some kind of standard Auth-behavior in the headers,
Hypertext Transfer Protocol
GET /drive HTTP/1.1\r\n
Host: xxx.xxx.xxx.xxx:8081\r\n
Sec-WebSocket-Key: XXXXXXX==\r\n
Sec-WebSocket-Version: 13\r\n
Upgrade: websocket\r\n
Origin: ws://xxx.xxx.xxx.xxx:8081/drive\r\n
Date: Tue, 29 Dec 2015 09:17:57 GMT\r\n
Authorization: NEATOAPP XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n
Connection: Upgrade\r\n
\r\n
[Full request URI: http://xxx.xxx.xxx.xxx:8081/drive]
[HTTP request 1/1]
There also a port 8080 open but I can not figure out what's running on that one.
The communication between the Neato and the central server is handled via a server on Amazon - this traffis is HTTPS though. Next step is to set up a SSLSplit and hope that they don't have a pinned cert.