Little Snitch reports outgoing connections for AirPlayXPCHelper for wrong subnets?

Time to answer my own question:

Why AirPlayXPCHelper goes out to this network on port 5000 and 7000?

This is related to the Peer-to-Peer AirPlay and Airplay device discovery. macOS discovers new device and attempts to connect using these ports to finish (?) discovery process.

Couple of my neighbours got new AppleTV and macOS attempts to connect to them. As all AppleTVs are connected to the different networks, it attempts to connect to each of them and it is what Little Snitch reports.

Is there a way to limit its desire to go there?

I'm not aware of any. I just blocked access for AirPlayXPCHelper to networks other than mine using Little Snitch.


This happened to me too so I dug into it. See Apple docs on Airplay Discovery https://support.apple.com/guide/deployment-reference-macos/airplay-discovery-apd19d206cc7/1/web/1.0

I'll refer to a neighbor's device as an "alien" device to emphasize you don't want to connect to it, and that it is not on your local network. (It could broadcast a public address, but that's not what is concerning people here.)

The alien device broadcasts its IP by Bonjour, peer-to-peer, or Bluetooth. Assuming your network is even moderately secure, the Mac isn't getting the alien address via Bonjour. Perhaps your Mac is getting the IP by peer-to-peer wifi but most likely your Mac is getting the alien IP via Bluetooth.

You could turn off Bluetooth to avoid this but some need it on. I see no way on the Mac to say to ignore these broadcasts except for particular networks or to disable AirPlay discovery.

Once your Mac gets the alien device's IP address, your Mac tries to reach out over its regular network (wireless or wired) to the IP. If it can't get there (because it is on a private address different than yours), no harm (except that Little Snitch noticed it).

Even if the alien device broadcasts an IP that you can get to, suppose even the same IP as your real Airplay speakers/TV use, I understand the AES encoding of Airplay basically requires a pre-shared key. Unless you've set that up, it won't talk to them. If you did set it up, then your Mac already knows about your particular speakers/TV and there is no harm with it finding them again.

As for the case that you can get to the alien device via a public IP. If it doesn't have the right pre-shared key, the Airplay AES encoding will keep the alien device from understanding what you send it.

It was scary to me to see this alien network show up, but it seems that this doesn't represent anything more serious than unnecessary alarms. Tell Little Snitch to silently block anything not on your local nets.


I had this exact same issue where Little Snitch detected external AirPlayXPCHelper traffic on port 7000 but treated it as internal traffic. What I mean is that even though I had all external traffic marked as deny, Little Snitch continued to prompt me on each connection attempt until I set it to deny local traffic (just for testing purposes), obviously I do not want to deny local traffic on this port... I do not understand why Little Snitch is interpreting this as local traffic (when the address is not in the local DHCP scope), a bug with Little Snitch perhaps?

When I read a post about AirPlay it got me thinking about how AirPlay technology works, as it now uses bluetooth to establish connections between devices. I was unable to repeat the issue with local connections enabled and bluetooth disabled.

Long story short I am now convinced this is simply a bug in Little Snitch and not someone trying to hack into my network. Blocking local connection or disabling bluetooth are the only ways I can permanently stop attempts.

The bluetooth traffic is coming from an AirPlay enabled device somewhere near your computer. Maybe a next door neighbours AppleTV?