Detailed description of the Modbus TCP protocol with command examples

26 April 2017 Knowledge Base
fd2d6cfb52a4e2cefc32f0b595c3eccc.jpg

In this article, you will learn about the Modbus TCP protocol, which is the evolution of the Modbus RTU protocol.

Contents:

Where to send a Modbus TCP command?

In an Ethernet network, the device address is its IP address. Typically, devices are on the same subnet, where IP addresses differ by the last two digit 192.168.1.20 when using the most common subnet mask 255.255.255.0.

The interface is an Ethernet network, the data transfer protocol is TCP / IP.

The TCP port used is: 502.

Back to contents

Description of the Modbus TCP protocol

The Modbus TCP command consists of a portion of the Modbus RTU message and a special header.

From the Modbus RTU message, the SlaveID address at the beginning and the CRC checksum at the end are removed, which forms the PDU, the Protocol Data Unit.

The following is an example of a Modbus RTU request for obtaining the AI value of the holding registers from registers # 40108 to 40110 with the address of the device 17.

11 03 006B 0003 7687

11Device address SlaveID (17 = 11 hex)
03Function Code (read Analog Output Holding Registers)
006BAddress of the first register (40108-40001 = 107 = 6B hex)
0003The number of required registers (reading 3 registers from 40108 to 40110)
7687Checksum CRC

We drop the address of the SlaveID device and the CRC checksum and get the PDU: 03 006B 0003

03 006B 0003

At the beginning of the received PDU message, a new 7-byte header is added, which is called MBAP Header (Modbus Application Header). This header has the following data:

96dcbab079db17ea8e155032d31f5854.png

Transaction Identifier: 2 bytes are set by the Master to uniquely identify each request. Can be any. These bytes are repeated by the Slave device in the response, since the responses of the Slave device may not always be received in the same order as the requests.

Protocol Identifier: 2 bytes are set by the Master, will always be 00 00, which corresponds to the Modbus protocol.

Length: 2 bytes are set by the Master, identifying the number of bytes in the message that follow. It is counted from Unit Identifier to the end of the message.

Unit Identifier: 1 byte is set to Master. It is repeated by the Slave device to uniquely identify the Slave device.

Total we get:

Modbus RTUSlave IDInquiryCRC
Modbus RTU1103 006B 00037687
Modbus TCP0001 0000 0006 1103 006B 0003
Modbus TCPMBAP HeaderPDU
Modbus TCPADU, Application Data Unit

Where:

0001Transaction identifierTransaction Identifier
0000Protocol identifier LaProtocol Identifier
0006Length (6 bytes are followed)Message Length
11The device address (17 = 11 hex)Unit Identifier
03Function code (read Analog Output Holding Registers)Function Code
006BFirst address register (107 = 40108-40001 = 6B hex)Data Address of the first register
0003The number of required registers (read 3 registers 40108 by 40110)The total number of registers

In the response from the Modbus TCP Slave device we get:

0001 0000 0009 11 03 06 022B 0064 007F

Where:

0001Transaction identifierTransaction Identifier
0000Protocol identifierProtocol Identifier
0009The length (9 bytes are followed)Message Length
11The device address (17 = 11 hex)Unit Identifier
03Function code (read Analog Output Holding Registers)Function Code
06The number of bytes later (6 bytes are followed)Byte Count
02Value of the high register bit (02 hex)Register value Hi (AO0)
2BEarly discharge value register (2B hex)Register value Lo (AO0)
00Value of the high register bit (00 hex)Register value Hi (AO1)
64Value of the low register bit (64 hex)Register value Lo (AO1)
00Value of the high register bit (00 hex)Register value Hi (AO2)
7FEarly discharge value register (7F hex)Register value Lo (AO2)

The analog output register AO0 has the value 02 2B HEX or 555 in the decimal system.

The analog output register AO1 has the value 00 64 HEX or 100 in the decimal system.

The analog output register AO2 has the value 00 7F HEX or 127 in the decimal system.

Back to contents

Modbus TCP command types

Here is a table with the codes for reading and writing the Modbus TCP registers.

Function CodeWhat the function doesValue typeAccess type
01 (0x01)Reading DORead Coil StatusDiscreteReading
02 (0x02)Reading DIRead Input StatusDiscreteReading
03 (0x03)Reading AORead Holding Registers16 bitReading
04 (0x04)Reading AIRead Input Registers16 bitReading
05 (0x05)One DO recordingForce Single CoilDiscreteRecording
06 (0x06)Recording one AOPreset Single Register16 bitRecording
15 (0x0F)Multiple DO recordingForce Multiple CoilsDiscreteRecording
16 (0x10)Recording multiple AOsPreset Multiple Registers16 bitRecording

Back to contents

How do I send a Modbus TCP command to read discrete output? Command 0x01

This command is used to read the values of the DO digital outputs.

The PDU request specifies the start address of the first DO register and the subsequent number of required DO values. In the PDU, the DO values are addressed starting from zero.

The DO values in the response are in one byte and correspond to the value of the bits.

The bit values are defined as 1 = ON and 0 = OFF.

The low bit of the first data byte contains the DO value whose address was specified in the request. The remaining values of DO follow the increasing value to the highest value of the byte. Those. from right to left.

If less than eight DO values were requested, the remaining bits in the response will be filled with zeros (in the direction from the low to high byte). Field Byte Count Number byte further indicates the number of full data bytes in response.

ByteRequestByteAnswer
(Hex)Field name(Hex)Field name
01Transaction identifier01Transaction identifier
0202
00Protocol identifier00Protocol identifier
0000
00Message length00Message length
0604
01Device address01Device address
01Functional code01Functional code
00Address of the first byte of register Hi01Number of bytes more
00Address of the first byte of register Lo02The value of register DO 0-1
00Number of registers Hi Byte
02Number of registers Lo Byte

The output states DO0-1 are shown as 02 hex values, or in the binary system 0000 0010.

The DO1 value will be the second to the right, and DO0 will be the first on the right (low-order bit).

The other six bits are filled with zeros to the full byte, because They were not requested.

Channels------DO 1DO 0
Bits00000010
Hex02

Back to contents

How to send a Modbus TCP command to read a digital input? Command 0x02

This command is used to read the values of digital inputs DI.

The query and response for DI is similar to the query for DO.

ByteRequestByteAnswer
(Hex)Field name(Hex)Field name
01Transaction identifier01Transaction identifier
0202
00Protocol identifier00Protocol identifier
0000
00Message length00Message length
0604
01Device address01Device address
02Functional code02Functional code
00Address of the first byte of register Hi01Number of bytes more
00Address of the first byte of register Lo03The value of register DI 0-1
00Number of registers Hi Byte
02Number of registers Lo Byte

The output states of DI 0-1 are shown as 03 hex values, or in the binary system 0000 0011.

The DI1 value will be the second to the right, and the value of DI0 will be the first right (low-order bit).

The other six bits are filled with zeros.

Back to contents

How to send a Modbus TCP command to read the analog output? Command 0x03

This command is used to read the values of the analog outputs AO.

ByteRequestByteAnswer
(Hex)Field name(Hex)Field name
01Transaction identifier01Transaction identifier
0202
00Protocol identifier00Protocol identifier
0000
00Message length00Message length
0607
01Device address01Device address
03Functional code03Functional code
00Address of the first byte of register Hi04Number of bytes more
00Address of the first byte of register Lo02Register value Hi (AO0)
00Number of registers Hi Byte2BRegister value Lo (AO0)
02Number of registers Lo Byte00Register value Hi (AO1)
64Register value Lo (AO1)

The output states AO0 are shown as 02 byte 2B hex, or in the decimal system 555.

The output states AO1 are shown as the byte values 00 64 hex, or in the decimal system 100.

Back to contents

How to send a Modbus TCP command to read an analog input? Command 0x04

This command is used to read the values of analog inputs AI.

ByteRequestByteAnswer
(Hex)Field name(Hex)Field name
01Transaction identifier01Transaction identifier
0202
00Protocol identifier00Protocol identifier
0000
00Message length00Message length
0607
01Device address01Device address
04Functional code04Functional code
00Address of the first byte of register Hi04Number of bytes more
00Address of the first byte of register Lo00Register value Hi (AI0)
00Number of registers Hi Byte0ARegister value Lo (AI0)
02Number of registers Lo Byte00Register value Hi (AI1)
64Register value Lo (AI1)

The output states AI0 are shown as 00 0A hex values, or in the decimal system 10.

The output states AI1 are shown as the byte values 00 64 hex, or in the decimal system 100.

Back to contents

How do I send a Modbus TCP command to write discrete output? Command 0x05

This command is used to record one value of the DO digital output.

The value of FF 00 hex sets the output to ON.

The value 00 00 hex sets the output to OFF.

All other values are invalid and will not affect the output state.

The normal response to such a request is an echo (a repeat request in the response), is returned after the DO state has been changed.

ByteRequestByteAnswer
(Hex)Field name(Hex)Field name
01Transaction identifier01Transaction identifier
0202
00Protocol identifier00Protocol identifier
0000
00Message length00Message length
0606
01Device address01Device address
05Functional code05Functional code
00Hi Register Address byte00Hi Register Address byte
01Lo Register Address byte01Lo Register Address byte
FFHi Byte MeaningFFHi Byte Meaning
00Lo Byte Meaning00Lo Byte Meaning

The output status of DO1 has changed from OFF to ON.

Back to contents

How do I send a Modbus TCP command to record analog output? Command 0x06

This command is used to record one value of the analog output AO.

ByteRequestByteAnswer
(Hex)Field name(Hex)Field name
01Transaction identifier01Transaction identifier
0202
00Protocol identifier00Protocol identifier
0000
00Message length00Message length
0606
01Device address01Device address
06Functional code06Functional code
00Hi Register Address byte00Hi Register Address byte
01Lo Register Address byte01Lo Register Address byte
55Hi Byte Meaning55Hi Byte Meaning
FFLo Byte MeaningFFLo Byte Meaning

The output status of AO0 has changed to 55 FF hex, or in the decimal system 22015.

Back to contents

How do I send a Modbus TCP command to write multiple discrete pins? Command 0x0F

This command is used to record multiple values of DO's digital output.

ByteRequestByteAnswer
(Hex)Field name(Hex)Field name
01Transaction identifier01Transaction identifier
0202
00Protocol identifier00Protocol identifier
0000
00Message length00Message length
0806
01Device address01Device address
0FFunctional code0FFunctional code
00Address of the first byte of register Hi00Address of the first byte of register Hi
00Address of the first byte of register Lo00Address of the first byte of register Lo
00Number of registers Hi Byte00Number of recorded reg. Hi byte
02Number of registers Lo Byte02Number of recorded reg. Lo bytes
01Number of bytes more
02Byte Value

The output status of DO1 has changed from OFF to ON.

The DO0 output state remains OFF.

Back to contents

How do I send a Modbus TCP command to write multiple analog outputs? Command 0x10

This command is used to record multiple values of the analog output AO.

ByteRequestByteAnswer
(Hex)Field name(Hex)Field name
01Transaction identifier01Transaction identifier
0202
00Protocol identifier00Protocol identifier
0000
00Message length00Message length
0B06
01Device address01Device address
10Functional code10Functional code
00Address of the first byte of register Hi00Address of the first byte of register Hi
00Address of the first byte of register Lo00Address of the first byte of register Lo
00Number of registers Hi Byte00Number of recorded reg. Hi byte
02Number of registers Lo Byte02Number of recorded reg. Lo bytes
04Number of bytes more
00Byte value Hi AO0
0AByte value Lo AO0
01Byte value Hi AO1
02Byte value Lo AO1

The output state of AO0 has changed to 00 0A hex, or in decimal system 10.

The output status of AO1 has changed to 01 02 hex, or in the decimal system 258.

Back to contents

Modbus TCP request errors

If the device can not process it after receiving the request, the response will be sent with an error code.

The response will contain the modified Function code, its high-order bit will be 1.

Example:

It wasBecame
Functional code in the queryFunctional error code in response
01 (01 hex) 0000 0001129 (81 hex) 1000 0001
02 (02 hex) 0000 0010130 (82 hex) 1000 0010
03 (03 hex) 0000 0011131 (83 hex) 1000 0011
04 (04 hex) 0000 0100132 (84 hex) 1000 0100
05 (05 hex) 0000 0101133 (85 hex) 1000 0101
06 (06 hex) 0000 0110134 (86 hex) 1000 0110
15 (0F hex) 0000 1111143 (8F hex) 1000 1111
16 (10 hex) 0001 0000144 (90 hex) 1001 0000

Sample request and response with error:

ByteRequestByteAnswer
(Hex)Field name(Hex)Field name
01Transaction identifier01Transaction identifier
0202
00Protocol identifier00Protocol identifier
0000
00Message length00Message length
0603
0ADevice address0ADevice address
01Functional code81Functional code with changed bit
04Address of the first byte of register Hi02Error code
A1Address of the first byte of register Lo
00Number of registers Hi Byte
01Number of registers Lo Byte

Explanation of error codes

01The received function code can not be processed.
02The data address specified in the request is not available.
03The value contained in the query data field is an invalid value.
04An unrecoverable error occurred while the slave attempted to perform the requested action.
05The slave has accepted the request and processes it, but it takes a long time. This response prevents the host from generating a timeout error.
06The slave is busy processing the command. The master must repeat the message later when the slave is freed.
07The slave can not execute the program function specified in the request. This code is returned for an unsuccessful program request using functions with numbers 13 or 14. The master must request diagnostic information or error information from the slave.
08The slave detected a parity error when reading the extended memory. The master can repeat the request, but usually in such cases, repairs are required.

Back to contents

Programs for working with the Modbus TCP protocol

Below are the programs that will help you easily interact with Modbus TCP devices.

Modbus Master Tool with support for Modbus RTU, ASCII, TCP. Download

5d35ea6c422fbc991cc04f54cf3e8d29.png

Modbus TCP client with support for Modbus TCP. Download

14ed37d8b7f25922b1c161242971e17b.png

Back to contents

Equipment with Modbus TCP support

Back to contents


Fast Product Request