Modbus Protocol Overview With Examples1

12/8/21, 11:27 AM Modbus Protocol Overview with Examples
Modbus Protocol
Modbus » Protocol Help Contents
Introduction
The Modbus Protocol was originally developed by Modicon (now part of Schneider Electric).
Modbus was developed as a
communication protocol for Modicon PLC Devices.
The original Modbus Protocol specification, published in 1979,
describes
Serial Communications where data is transmitted one bit at a time.
A later update to the standard, called Modbus TCP,
describes how to use Modbus in TCP/IP networks.
The rest of this article describes the Modbus protocol is more detail:
Modbus Data Types.

Modbus Message Structure.
Modbus PDU.
Modbus Exception Codes.
Modbus Data Types

The Modbus Protocol supports these data types:
Data Type Access Description

Coil Read-write Single bit outputs.
Discrete Input Read-only Single bit inputs.
Input Register Read-only 16-bit input registers.
Holding Register Read-write 16-bit output registers.
Modbus Message Structure

Modbus is a request-response protocol where:
The client sends a request to a Modbus device.

The Modbus device sends a response.
The structure of a modbus message is the same for both requests and responses:
Unit Address Modbus PDU Error Check
The exact format of the message depends on the variant of Modbus protocol used:
Modbus ASCII - A serial protocol using a subset of ASCII characters.

Modbus RTU - A serial protocol using 8-bit binary.
Modbus TCP - A TCP/IP protocol.
Modbus RTU over TCP - A TCP/IP protocol with an additional CRC check.
Modbus ASCII
Modbus ASCII uses a subset of the ASCII character set to send modbus messages over Serial Communications.
Modbus ASCII messages start with the colon (:) character (ASCII 58).
Modbus ASCII messages end with carriage return
(ASCII 13) and line feed (ASCII 10) characters.
Between the start and end characters only hexadecimal characters 0 to 9 and
A to F are allowed.
https://www.fernhillsoftware.com/help/drivers/modbus/modbus-protocol.html#dataTypes 1/9
The structure of a Modbus ASCII message is:
Start Unit Address Message LRC End
ASCII 58 2 characters N characters 2 characters ASCII 13 + ASCII 10
Where:
The Unit Address field is the PLC Address encoded as 2 hexadecimal characters.
The Message field is a Modbus PDU where each byte is encoded as 2 hexadecimal characters.
The maximum length of
the Message field is is 506 characters.
The LRC field is the Longitudinal Redundancy Check of the Address and Message fields.
The maximum Modbus ASCII message length is 513 characters.
Modbus RTU
Modbus RTU uses 8-bit Serial Communications to send Modbus messages.
The structure of a Modbus RTU message is:
Unit Address Message CRC
1 Byte N Bytes 2 Bytes
Where:
The Unit Address field is the PLC Address encoded as single byte.
The Message field is a Modbus PDU.
The maximum length of the Message field is is 253 bytes.
The CRC field is the Cyclic Redundancy Check of the Unit Address and Message fields.
The maximum Modbus RTU message length is 256 bytes.
Modbus TCP
Modbus TCP uses a TCP/IP link to send and receive Modbus messages.
The structure of a Modbus TCP message is:
Transaction Id Protocol Length Unit Address Message
2 Bytes 2 Bytes 2 Bytes 1 Byte N Bytes
Where:
The Transaction Id field identifies the transaction.

The Protocol field is zero to indicate Modbus protocol.
The Length field is the number of following bytes.
The maximum Modbus TCP message length is 260 bytes.
Unit Address
Note: Real Modbus TCP devices use the Unit Address field in different ways:
Some Modbus TCP devices ignore Unit Address.

Some Modbus TCP devices require a fixed value for Unit Address, for example 0 or 255.
Some Modbus TCP devices are a gateway to multiple PLC where the Unit Address selects which PLC to communicate
with.
Modbus RTU over TCP
Modbus RTU over TCP is a non-standard variant of Modbus TCP that includes the CRC from the Modbus RTU message.
The structure of a Modbus RTU over TCP message is:
Transaction Id Protocol Length Unit Address Message CRC
2 Bytes 2 Bytes 2 Bytes 1 Byte N Bytes 2 Bytes
Where:
The Transaction Id field identifies the transaction.

The Protocol field is zero to indicate Modbus protocol.
The Length field is the number of following bytes.
The CRC field is the Cyclic Redundancy Check of the Address and Message fields.
Modbus PDU
The Modbus Protocol supports these PDU:
Modbus Read Coils (01)

Modbus Read Discrete Inputs (02)
Modbus Read Holding Registers (03)
Modbus Read Input Registers (04)
Modbus Write Single Coil (05)
Modbus Write Single Register (06)
Modbus Write Multiple Registers (16)
Modbus Read Coils (01)
Modbus Read Coils, function code 01, reads between 1 and 2000 output coils (bits) from the PLC.
The request PDU consists of 5 bytes:
Offset Length Description Values

0 Byte Function Code 01
2 Word First coil address 0000h - FFFFh
4 Word Coil count 0001 - 07D0h
The normal response varies in length from 3 bytes up to 252 bytes depending on the number of coils requested:

1 Byte Byte Count (CoilCount + 7) / 8
2 N Bytes Coil data ...
Note: The total number of bytes returned is 2 + (CoilCount + 7) / 8, where CoilCount is the number of coils requested.
For
example a request for 1 coil, will return 3 bytes.
A request for 8 coils will also return 3 bytes.
A request for 9 coils will
return 4 bytes.
The largest request possible is for 2000 coils, which will return 252 bytes.
If the PLC detects an error in the request, for example an address that is not available, an error response will be sent:

0 Byte Function Code 81h
1 Byte Exception Code See Exception Codes
Example:
Read 12 coils starting at 00033 from a PLC at address 2.
Response with coils 00040 and 00042 set and all others
clear :
Request Response
Modbus 3A 30 32 30 31 30 30 32 30 30 30 30 43 44 3A 30 32 30 31 30 32 38 30 30 32 37
ASCII 31 0D 0A 39 0D 0A
Modbus 02 01 00 20 00 0C 3D F6 02 01 02 80 02 1D FD
RTU
Modbus 00 05 00 00 00 06 02 01 00 20 00 0C 00 05 00 00 00 05 02 01 02 80 02
TCP
Note: The PDU part of each request and response is shown in Blue.
Modbus Read Discrete Inputs (02)
Modbus Read Discrete Inputs, function code 02, reads between 1 and 2000 inputs from the PLC.

2 Word First input address 0000h - FFFFh
4 Word Input count 0001 - 07D0h
The normal response varies in length from 3 bytes up to 252 bytes depending on the number of inputs requested:

1 Byte Byte Count (InputCount + 7) / 8
2 N Bytes Input data ...
Note: The total number of bytes returned is 2 + (InputCount + 7) / 8. InputCount is the number of inputs requested.
For
example a request for 1 input, will return 3 bytes.
A request for 8 inputs will also return 3 bytes.
A request for 9 inputs will
return 4 bytes.
The largest request possible is for 2000 inputs, which will return 252 bytes.

Example:
Read 16 inputs starting at 10501 from a PLC at address 1.
Response with inputs 10501 and 10503 set and all
others clear :
Request Response
Modbus 3A 30 31 30 32 30 31 46 34 30 30 32 30 45 3A 30 31 30 32 30 32 30 35 30 30 46
ASCII 38 0D 0A 36 0D 0A
Modbus 01 02 01 F4 00 20 39 DC 01 02 02 05 00 BA E8
RTU
Modbus 00 0A 00 00 00 06 01 02 01 F4 00 20 00 0A 00 00 00 05 01 02 02 05 00
TCP
Modbus Read Holding Registers (03)
Modbus Read Holding Registers, function code 03, reads between 1 and 125 holding registers from the PLC.

4 Word Register count 0001 - 007Dh
The normal response varies in length from 4 bytes up to 252 bytes depending on the number of holding registers requested:

1 Byte Byte Count RegisterCount * 2
2 N Bytes Register data ...
Note: The total number of bytes returned is 2 + 2 * RegisterCount, where RegisterCount is the number of holding
registers requested.
For example a request for 1 holding register, will return 4 bytes.
A request for 2 holding registers will
return 6 bytes.
A request for 125 holding registers will return 252 bytes.

Example:
Read 2 holding registers starting at address 40601 from a PLC at address 1.
Response returns register 40601
value 1000, and register 40602 value 5000:
Request Response
Modbus 3A 30 31 30 33 30 32 35 38 30 30 30 3A 30 31 30 33 30 34 30 33 45 38 31 33 38
ASCII 32 41 30 0D 0A 38 37 32 0D 0A
Modbus 01 03 02 58 00 02 44 60 01 03 04 03 E8 13 88 77 15
RTU
Modbus 00 0F 00 00 00 06 01 03 02 58 00 02 00 0F 00 00 00 07 01 03 04 03 E8 13 88
TCP
Modbus Read Input Registers (04)
Modbus Read Input Registers, function code 04, reads between 1 and 125 input registers from the PLC.

4 Word Register count 0001 - 007Dh
The normal response varies in length from 4 bytes up to 252 bytes depending on the number of input registers requested:

1 Byte Byte Count RegisterCount * 2
2 N Bytes Register data ...
Note: The total number of bytes returned is 2 + 2 * RegisterCount, where RegisterCount is the number of input registers
requested.
For example a request for 1 input register, will return 4 bytes.
A request for 2 input registers will return 6 bytes.
A request for 125 input registers will return 252 bytes.

Example:
Read 2 input registers starting at address 30201 from a PLC at address 1.
Response returns register 30201 value
10000, and register 30202 value 50000:
Request Response
Modbus 3A 30 31 30 34 30 30 43 38 30 30 30 3A 30 31 30 34 30 34 32 37 31 30 43 33 35
ASCII 32 33 31 0D 0A 30 41 44 0D 0A
Modbus 01 04 00 C8 00 02 F0 35 01 04 04 27 10 C3 50 A0 39
RTU
Modbus 00 14 00 00 00 06 01 04 00 C8 00 02 00 14 00 00 00 07 01 04 04 27 10 C3 50
TCP
Modbus Write Single Coil (05)
Modbus Write Single Coil, function code 05, writes a single coil to the PLC.

4 Word Coil value 0x0000 or 0xFF00
The normal response is the request reflected back:


4 Word Coil value 0x0000 or 0xFF00
If the PLC detects an error, for example an address that is not available, an error response will be sent:

Example: Set coil 00101 in device with address 1 to 1.
Request Response
Modbus 3A 30 31 30 35 30 30 36 34 46 46 30 30 3A 30 31 30 35 30 30 36 34 46 46 30 30
ASCII 39 37 0D 0A 39 37 0D 0A
Modbus 01 05 00 64 FF 00 CD E5 01 05 00 64 FF 00 CD E5
RTU
Modbus 00 19 00 00 00 06 01 05 00 64 FF 00 00 19 00 00 00 06 01 05 00 64 FF 00
TCP
Modbus Write Single Register (06)
Modbus Write Single Register, function code 06, writes a single register to the PLC.

2 Word First register address 0000h - FFFFh
4 Word Register value 0000h - FFFFh
The normal response is the request reflected back:

4 Word Register value 0000h - FFFFh

Example: Set Holding Register 40101 in device with address 1 to 15000.
Request Response
Modbus 3A 30 31 30 36 30 30 36 34 33 41 39 38 3A 30 31 30 36 30 30 36 34 33 41 39 38
ASCII 43 33 0D 0A 43 33 0D 0A
Modbus 01 06 00 64 3A 98 98 DB 01 06 00 64 3A 98 98 DB
RTU
Modbus 00 1E 00 00 00 06 01 06 00 64 3A 98 00 1E 00 00 00 06 01 06 00 64 3A 98
TCP
Modbus Write Multiple Registers (16)

Modbus Write Multiple Registers, function code 16, writes between 1 and 123 registers to the PLC.
The request PDU consists of between 8 and 252 bytes:

4 Word Register Count 0000h - 007Bh
5 Byte Byte Count 0000h - 007Bh
6 N Words Register values ...
The normal response consists of 5 bytes:

4 Word Register Count 0000h - 007Bh

Example: In the PLC at address 28, set register 40101 to 1000 and register 40102 to 2000.
Request Response
Modbus 3A 31 43 31 30 30 30 36 34 30 30 30 32 30 34 30 33 3A 31 43 31 30 30 30 36 34 30
ASCII 45 38 30 37 44 38 41 30 0D 0A 30 30 32 36 45 0D 0A
Modbus 1C 10 00 64 00 02 04 03 E8 07 D8 19 02 1C 10 00 64 00 02 03 9A
RTU
Modbus 00 23 00 00 00 0B 1C 10 00 64 00 02 04 03 E8 07 D8 00 23 00 00 00 06 1C 10 00 64
TCP 00 02
Modbus Exception Codes

An exception code is a single byte providing an explanation of an error:
Code Description
01h Illegal function
02h Illegal data address
03h Illegal data value
04h Slave device failure
Further Information
Modbus Data Address Format
To learn how modbus data addresses are presented in human readable form.
Modbus Register Block Tag
To learn about Modbus Register Block Tags.
Modbus Driver
For an overview of the Modbus Driver.
Glossary
For the meaning of terms used in Fernhill SCADA.
Fernhill SCADA Version 3.78 (20211130.3). Copyright © 2012-2021 Fernhill Software Ltd: All rights reserved.

Modbus Protocol Overview With Examples1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Modbus Protocol Overview With Examples1

Uploaded by

Copyright:

Available Formats

12/8/21, 11:27 AM Modbus Protocol Overview with Examples

Modbus Data Types.

Modbus Data Types

Data Type Access Description

Modbus Message Structure

The client sends a request to a Modbus device.

Unit Address Modbus PDU Error Check

Modbus ASCII - A serial protocol using a subset of ASCII characters.

Start Unit Address Message LRC End

ASCII 58 2 characters N characters 2 characters ASCII 13 + ASCII 10

The structure of a Modbus RTU message is:

Unit Address Message CRC

1 Byte N Bytes 2 Bytes

The structure of a Modbus TCP message is:

Transaction Id Protocol Length Unit Address Message

2 Bytes 2 Bytes 2 Bytes 1 Byte N Bytes

The Transaction Id field identifies the transaction.

Some Modbus TCP devices ignore Unit Address.

Modbus RTU over TCP

The structure of a Modbus RTU over TCP message is:

Transaction Id Protocol Length Unit Address Message CRC

2 Bytes 2 Bytes 2 Bytes 1 Byte N Bytes 2 Bytes

The Transaction Id field identifies the transaction.

Modbus Read Coils (01)

Modbus Read Coils (01)

The request PDU consists of 5 bytes:

Offset Length Description Values

Offset Length Description Values

Offset Length Description Values

Modbus Read Discrete Inputs (02)

The request PDU consists of 5 bytes:

Offset Length Description Values

Offset Length Description Values

Offset Length Description Values

Modbus Read Holding Registers (03)

The request PDU consists of 5 bytes:

Offset Length Description Values

Offset Length Description Values

Offset Length Description Values

Modbus Read Input Registers (04)

The request PDU consists of 5 bytes:

Offset Length Description Values

Offset Length Description Values

Offset Length Description Values

Modbus Write Single Coil (05)

The request PDU consists of 5 bytes:

Offset Length Description Values

The normal response is the request reflected back:

Offset Length Description Values

2 Word First coil address 0000h - FFFFh

Offset Length Description Values

Example: Set coil 00101 in device with address 1 to 1.

Modbus Write Single Register (06)

The request PDU consists of 5 bytes:

Offset Length Description Values

The normal response is the request reflected back:

Offset Length Description Values

Offset Length Description Values

Example: Set Holding Register 40101 in device with address 1 to 15000.

Modbus Write Multiple Registers (16)

The request PDU consists of between 8 and 252 bytes:

Offset Length Description Values

The normal response consists of 5 bytes:

Offset Length Description Values