Posted inModbus

Modbus Tcp Ip

Modbus TCP/IP: Industrial Protocol Meets Ethernet

Imagine sending a letter through the postal service: you write your message, put it in an envelope with a recipient address, and drop it in a mailbox. Now imagine sending the same message as an email: you type the same content, but wrap it in an email format with sender/recipient addresses, subject line, and send it through the internet.

This analogy perfectly describes Modbus TCP/IP. It takes the same core Modbus protocol (the “message content”) and wraps it in TCP/IP packets (the “email envelope”) for transmission over Ethernet networks. Let’s dive into this industrial communication evolution.

The Mail vs Email Analogy: Modbus RTU vs TCP

| Traditional Mail | Modbus RTU | Email | Modbus TCP |

|———————-|—————-|———–|—————-|

| Handwritten Letter | Modbus PDU (Protocol Data Unit) | Email Body | Same Modbus PDU |

| Envelope with Address | Slave Address, Function Code, CRC | Email Header (From, To, Subject) | MBAP Header (Transaction ID, Unit ID, etc.) |

| Postal Service | Serial Communication (RS-485/RS-232) | Internet | Ethernet/TCP/IP Network |

| Physical Delivery | Bit-by-bit serial transmission | Packet-based transmission | TCP/IP packet transmission |

| Limited Speed/Distance | 9600-115,200 bps, max 1,200m | High Speed/Global | 10 Mbps-10 Gbps, global reach |

| Single Delivery Route | Single serial line | Multiple Network Paths | Multiple Ethernet paths with redundancy |

Modbus TCP: The Basics

Modbus TCP (often abbreviated as Modbus/TCP) is the Ethernet variant of the Modbus protocol. It was introduced in 1999 by Schneider Electric to bring Modbus into the digital age.

Core Principles

  • MBAP Header: Added to each message for TCP compatibility

MBAP Header: The TCP ‘Envelope’

MBAP stands for Modbus Application Protocol Header. It’s the “email envelope” that wraps the Modbus PDU for TCP/IP transmission. The MBAP header is 7 bytes long and contains critical routing information.

MBAP Header Structure

| Field | Size (bytes) | Description | Example |

|———–|—————–|—————–|————-|

| Transaction ID | 2 | Unique identifier for matching requests/responses | 00 01 (increments for each request) |

| Protocol ID | 2 | Always 00 00 for Modbus TCP (distinguishes from other protocols) | 00 00 |

| Length | 2 | Number of bytes following (Unit ID + PDU length) | 00 06 (Unit ID + 5-byte PDU) |

| Unit ID | 1 | Legacy field for RTU compatibility (usually 00 or slave address) | 05 (same as RTU slave address) |

Example MBAP Header + PDU

Scenario: A client requests register 40001 from device 5 using function code 03.

“`

MBAP Header: [00 01] [00 00] [00 06] [05]

PDU: [03] [00 00] [00 01]

Full Message: 00 01 00 00 00 06 05 03 00 00 00 01

“`

Breakdown:

  • PDU: 03 00 00 00 01 (Read Holding Registers, starting at 0000, read 1 register)

Network Fundamentals: IP Addressing and Port 502

IP Addressing for Modbus TCP Devices

Each Modbus TCP device must have a unique IP address on the Ethernet network, just like each email user needs a unique email address.

Example IP Configuration:

  • Subnet Mask: 255.255.255.0

TCP Port 502: The Modbus Inbox

TCP port 502 is the default port for Modbus TCP communication, like a specific email inbox dedicated to Modbus messages.

  • Firewall Considerations: Must allow TCP port 502 traffic for Modbus TCP to work across networks

Modbus TCP vs RTU: Advantages and Disadvantages

Advantages of Modbus TCP

1. Higher Speed: Ethernet speeds (10 Mbps to 10 Gbps) vs RTU’s 115.2 Kbps max

2. Longer Distance: Can span global networks via internet/Ethernet

3. Multiple Clients: Supports multiple clients talking to the same server (unlike RTU’s single master)

4. Better Diagnostics: TCP/IP provides built-in error checking and network diagnostics

5. IT Integration: Seamlessly integrates with existing IT networks and tools

6. Redundancy: Supports redundant network paths for reliability

7. Easier Troubleshooting: Tools like Wireshark simplify packet analysis

Disadvantages of Modbus TCP

1. More Complex Setup: Requires IP configuration vs RTU’s simple serial settings

2. Higher Cost: Ethernet hardware is typically more expensive than serial

3. Network Dependency: Vulnerable to network congestion, outages, and cybersecurity threats

4. Latency Variability: TCP/IP can have variable latency vs RTU’s deterministic timing

5. Legacy Incompatibility: Older RTU devices require gateways to connect to TCP networks

When to Choose TCP vs RTU

| Factor | Choose TCP | Choose RTU |

|————|—————-|—————-|

| Network Size | Large (many devices) | Small (32 devices max) |

| Distance | Long (Ethernet reach/Internet) | Short (≤ 1,200m) |

| Speed Needs | High | Moderate |

| IT Integration | Required | Not needed |

| Budget | Higher | Lower |

| Legacy Devices | Mix of new and old (with gateways) | All legacy |

Wireshark Analysis: What Modbus TCP Looks Like on the Wire

Wireshark is like a “packet sniffer” that lets you see exactly what’s happening on your network. Here’s what a Modbus TCP conversation looks like in Wireshark:

Example Wireshark Capture Description

#### 1. Ethernet Frame

  • EtherType: 0x0800 (IPv4)

#### 2. IP Header

  • Protocol: 0x06 (TCP)

#### 3. TCP Header

  • Flags: SYN, ACK, PSH (showing data transfer)

#### 4. Modbus TCP Packet

  • PDU: [03] [00 00] [00 01] (Read Holding Registers request)

#### 5. Response Packet

  • PDU: [03] [02] [08] [CA] (Response with 2 bytes of data: 0x08CA = 2250)

What to Look For in Wireshark

  • Error Codes: Look for exception codes (function code with highest bit set, e.g., 83 instead of 03)

Practical Modbus TCP Configuration Example

System Components

  • Servers:

– Temperature Controller: 192.168.1.60

– Motor Drive: 192.168.1.61

– Pressure Transmitter: 192.168.1.62

  • Network: 100 Mbps Ethernet with redundant switches

Configuration Steps

1. Assign unique IP addresses to all devices

2. Set default gateway if internet access is needed

3. Configure SCADA client to connect to each server’s IP:502

4. Test communication with a Modbus TCP testing tool

5. Set up Wireshark for monitoring and troubleshooting

Security Considerations

Modbus TCP inherits security risks from IP networks:

1. No Built-in Encryption: Modbus TCP packets are sent in plaintext—use VPNs or Modbus over TLS for secure communication

2. Open Port 502: Can be a target for cyberattacks—restrict access with firewalls

3. No Authentication: Anyone with network access can send Modbus commands—implement network segmentation

4. Vulnerable to Spoofing: IP addresses can be spoofed—use MAC filtering or 802.1X authentication

Conclusion: The Evolution of Modbus

Modbus TCP represents the evolution of Modbus into the digital age. By wrapping the familiar Modbus protocol in TCP/IP packets, it combines the simplicity and reliability of traditional Modbus with the speed, flexibility, and global reach of Ethernet.

The mail vs email analogy helps demystify Modbus TCP: it’s the same core message, but with a modern, more efficient delivery system. Whether you’re building a small factory network or connecting global industrial systems, Modbus TCP provides a proven, interoperable solution.

As industrial IoT (IIoT) continues to grow, Modbus TCP will remain a critical protocol, bridging legacy systems with modern digital infrastructure. Its open standard, wide adoption, and simple implementation make it the “universal language” of industrial Ethernet communication.

Tags: