Professional Documents
Culture Documents
Article # 000023337
Title Understanding Modbus Send and Receive Response Logging for Diagnostics
Published On 3/11/2016
PROBLEM
Title
SOLUTION
Summary
This Tech Note outlines how to interpret the DASSend and DASReceive logging that is available for Wonderware Modbus Ethernet DAServer
(DASMBTCP). You can view the message contents in the Wonderware System Management Console log for troubleshooting purposes.
Situation
Application Versions
Every interaction between DASMBTCP and the PLC via Ethernet requires a request to be sent and a response to be received. The structure of the
data in this interaction is predefined within the Modbus Protocol Specifications.
First, the server needs to send a request to the client (PLC). This message to the client is in hexadecimal and contains several parts, a header, slave
identification, actions requested, registers to interact with, and checksums, etc.
Read Messages
Transaction ID – 2 bytes – This is a unique identifier for the transaction. This is key info, especially when the Maximum Outstanding Messages
option is set higher than 1 and the device supports concurrent messages. This ID is used by the server to match the sent requests with the
received data.
Protocol ID – 2 bytes – 0 indicates Modbus protocol.
Length of data to follow – 2 bytes – How many bytes are contained in the remainder of the sent message. (Checksum)
PLC Unit ID – 1 byte – Used to direct the message to a slave device in a bridge configuration. Non-bridge Modbus configurations assume slave
ID 255. This ID will be returned in the response to link the sent requests and received data.
Modbus Function Code – 1 byte – What Modbus function to execute against the tags in this message
Transaction ID – 2 bytes – This is a unique identifier for the transaction. This is key info, especially when the Maximum Outstanding Messages
option is set higher than 1 and the device supports concurrent messages. This ID is used by the server to match the sent requests with the
received data.
Protocol ID – 2 bytes – 0 indicates Modbus protocol.
Length of data to follow – 2 bytes – How many bytes are contained in the remainder of the receive message. (Checksum)
PLC Unit ID – 1 byte – Used to indicate the slave device which sent this data in a bridge configuration. This is used to link the sent requests and
received data.
Modbus Function Code – 1 byte – If the sent function executed successfully, the original code is returned, otherwise an exception code is
returned with details. (See the Exception Code Section of this document)
Length of data to follow – 1 byte – How many bytes are contained in the remainder of the receive message. (Checksum)
Values read – 2 bytes per register – The values contained in the registers that were requested in the sent message.
Write Messages
Transaction ID – 2 bytes – This is a unique identifier for the transaction. This is key info, especially when the Maximum Outstanding Messages
option is set higher than 1 and the device supports concurrent messages. This ID is used by the server to match the sent requests with the
received data.
Protocol ID – 2 bytes – 0 indicates Modbus protocol.
Length of data to follow – 2 bytes – How many bytes are contained in the remainder of the sent message. (Checksum)
PLC Unit ID – 1 byte – Used to direct the poke message to a slave device in a bridge configuration. Non-bridge Modbus configurations assume
slave ID 255. This ID will be returned in the response to link the sent requests and received data.
Modbus Function Code – 1 byte – What Modbus function to execute against the tags in this message.
Starting address to poke – 2 bytes – Address of the first register to interact with. (0-based)
Number of registers to poke – 2 bytes – How many contiguous registers, including the starting register, will be poked.
Length of data to follow – 1 byte – How many bytes are contained in the remainder of the poke message. (Checksum)
Values poked – 2 bytes per register - The values poked to the registers that were indicated in the sent message.
Transaction ID – 2 bytes – This is a unique identifier for the transaction. This is key info, especially when the Maximum Outstanding Messages
option is set higher than 1 and the device supports concurrent messages. This ID is used by the server to match the sent requests with the
received data.
Protocol ID – 2 bytes – 0 indicates Modbus protocol.
Length of data to follow – 2 bytes – How many bytes are contained in the remainder of the receive message. (Checksum)
PLC Unit ID – 1 byte – Used to indicate the slave device which sent this data in a bridge configuration. This is used to link the sent requests and
received data.
Modbus Function Code – 1 byte – If the sent function executed successfully, the original code is returned, otherwise an exception code is
returned with details. (See exception code section of this document)
Starting address poked – 2 bytes – Address of the first register that was poked. (0-based)
Number of registers poked – 2 bytes – How many contiguous registers, including the starting register, were poked.
Once DASMBTCP is installed, you can enable optional log flags in order to observe the DAServer to PLC communications using the Modbus Protocol.
1. Open the System Management Console and expand Log Viewer > Default Group > Local (Figure 1 below).
Figure 1: Locate and Open Log Viewer > Default Group > Local
2. Right-click Local and click Log Flags (Figure 2 below).
Note: Once your analysis is complete, disable these flags since they will log a large amount of data.
This Tech Note uses the wwclient Utility and a Modbus simulator to read five tags with static values (Figure 4 below).
Now that the logs flags are enabled, you can see what is recorded in the log while reading the data (Figure 5 below).
The Hex characters you see in the log messages represent the Modbus Protocol communications.
First, you can analyze the message sent from DASMBTCP to the PLC.
Hex
Description Value
Character
9 6f Transaction ID 096F hex = 2415 decimal
00 Protocol ID 0000 = Modbus protocol
Length of data to follow (byte
06 0006 = 6 bytes to follow
count)
ff PLC Unit ID FF = 255 decimal (255 is the unit ID for this device)
3 Modbus Function Code 03 = read holding register
00 Starting address (0-based) 0000 = address 0 which is addressed as 40001 in this case
0005 = read five registers beginning at the starting address (40001
05 Number of registers to read
through 40005)
Then you can analyze the response from the PLC back to the DAServer.
A value of 2 was poked to register 40001. The following data appears in the log (Figure 6 below).
First, you can analyze the poke message sent from DASMBTCP to the PLC:
Then you can analyze the response from the PLC back to the DAServer, confirming the write.
Exception code messages are received when the transaction fails. These messages are structured slightly differently, since an exception indicator and
reason must be included. In this example, all the registers are set to read-only. Then a poke was attempted using a value of 3 to holding register
400003 (Figure 7 below).
First, you can analyze the poke message sent from DASMBTCP to the PLC.
Then you can analyze the response from the PLC back to the DAServer, containing the exception information.
Hex
Description Value
Character
0 39 Transaction ID 0039 hex = 57 decimal
00 Protocol ID 0000 = Modbus protocol
Length of data to follow (byte
03 0003 = 3 bytes to follow
count)
ff PLC Unit ID FF = 255 decimal (255 is the unit ID for this device)
Modbus Function/Exception 90 = 10+80 (hex) - Original sent function code 10 plus 80 to indicate
90
Code exception
01 = Exception code 01 (see chart below for exception codes that can
1 Exception code
be returned)
Exception
Code Name Explanation
(Hex)
The function code received in the query is not an allowable action for the slave. This may be because the function
code is only applicable to newer controllers, and was not implemented in the unit selected.
01 ILLEGAL FUNCTION
It could also indicate that the slave is in the wrong state to process a request of this type; for example, because it
is unconfigured and is being asked to return register values.
The data address received in the query is not an allowable address for the slave. More specifically, the
ILLEGAL DATA combination of reference number and transfer length is invalid.
02
ADDRESS For a controller with 100 registers, a request with offset 96 and length 4 would succeed, a request with offset 96
and length 5 will generate exception 02.
A value contained in the query data field is not an allowable value for the slave. This indicates a fault in the
structure of the remainder of a complex request, such as that the implied length is incorrect.
ILLEGAL DATA
03 It specifically does NOT mean that a data item submitted for storage in a register has a value outside the
VALUE
expectation of the application program, since the MODBUS protocol is unaware of the significance of any
particular value of any particular register.
Indicates that the request as framed would generate a response whose size exceeds the available MODBUS
ILLEGAL RESPONSE
04 data size.
LENGTH
Used only by functions generating a multi-part response, such as functions 20 and 21.
05 ACKNOWLEDGE Specialized use in conjunction with programming commands.
06 SLAVE DEVICE BUSY Specialized use in conjunction with programming commands.