Modbus TCP/IP (also Modbus TCP) is simply the Modbus RTU protocol with a TCP interface that runs on Ethernet. The Modbus messaging structure is the application protocol that defines the rules for organizing and interpreting the data independent of the data transmission medium.
A communicating system over MODBUS TCP/IP may include different type of device:
- A MODBUS TCP/IP Client and Server devices connected to a TCP/IP network.
- The Interconnection devices like bridge, router or gateway for interconnection between the TCP/IP network and a serial line sub-network which permit connections of MODBUS Serial line Client and Server end devices.
The MODBUS protocol defines a simple Protocol Data Unit (PDU) independent of the underlying communication layers. The mapping of MODBUS protocol on specific buses or networks can introduce some additional fields on the Application Data Unit (ADU).
The client that initiates a MODBUS transaction builds the MODBUS Application Data Unit. The function code indicates to the server which kind of action to perform.
MODBUS On TCP/IP
This section describes the encapsulation of a MODBUS request or response when it is carried on a MODBUS TCP/IP network.
A dedicated header is used on TCP/IP to identify the MODBUS Application Data Unit. It is called the MBAP header (MODBUS Application Protocol header). This header provides some differences compared to the MODBUS RTU application data unit used on serial line:
- The MODBUS ‘slave address’ field usually used on MODBUS Serial Line is replaced by a single byte ‘Unit Identifier’ within the MBAP Header. The ‘Unit Identifier’ is used to communicate via devices such as bridges, routers and gateways that use a single IP address to support multiple independent MODBUS end units.
- All MODBUS requests and responses are designed in such a way that the recipient can verify that a message is finished. For function codes where the MODBUS PDU has a fixed length, the function code alone is sufficient. For function codes carrying a variable amount of data in the request or response, the data field includes a byte count.
- When MODBUS is carried over TCP, additional length information is carried in the MBAP header to allow the recipient to recognize message boundaries even if the message has been split into multiple packets for transmission. The existence of explicit and implicit length rules, and use of a CRC-32 error check code (on Ethernet) results in an infinitesimal chance of undetected corruption to a request or response message.
MBAP header description
The MBAP header contains the following fields:
|Transaction Identifier||2 Bytes||Identification of a MODBUS Request/ Response transaction.||Initialized by the client||Recopied by the server from the received request|
|Protocol Identifier||2 Bytes||0 = MODBUS protocol||Initialized by the client||Recopied by the server from the received request|
|Length||2 Bytes||Number of following bytes||Initialized by the client (request)||Initialized by the server (Response)|
|Unit Identifier||1 Byte||Identification of a remote slave connected on a serial line or on other buses.||Initialized by the client||Recopied by the server from the received request|
The header is 7 bytes long.
- Transaction Identifier - It is used for transaction pairing, the MODBUS server copies in the response the transaction identifier of the request.
- Protocol Identifier – It is used for intra-system multiplexing. The MODBUS protocol is identified by the value 0.
- Length - The length field is a byte count of the following fields, including the Unit Identifier and data fields.
- Unit Identifier – This field is used for intra-system routing purpose. It is typically used to communicate to a MODBUS or a MODBUS+ serial line slave through a gateway between an Ethernet TCP-IP network and a MODBUS serial line. This field is set by the MODBUS Client in the request and must be returned with the same value in the response by the server.
All Modbus/TCP ADU are sent via TCP on registered port 502, and the different fields are encoded in Big-endian.
Example Modbus TCP frame
Here is an example of a Modbus TCP request for the content of analog output holding registers #40108 to #40110 from the slave device with address 17. 00 01 00 00 00 06 15 03 00 6B 00 03 0001: Transaction identifier 0000: Protocol identifier 0006: Message length (6 bytes to follow) 15: The unit identifier (17 = 0x15) 03: The function code (read analog output holding registers) 006B: The data address of the first register requested (40108 - 40001 offset = 107 = 0x6B). 0003: The total number of registers requested. (read 3 registers 40108 to 40110)
Contents retrieved from