What is Modbus TCP?

Modbus TCP is an industrial communication standard based on the classic Modbus protocol, but operating over Ethernet and TCP/IP rather than serial communication (such as RS-485).

The protocol is widely used for simple and reliable communication between PLCs, HMIs, SCADA systems, Sensors, Actuators and I/O modules.

🧠 What does Modbus TCP do?

Modbus TCP:

Sends measurement and control data over standard Ethernet
Uses the Modbus protocol as its application layer
Sends messages over port 502 using TCP/IP
Supports master-slave communication (one client driving multiple servers)

🔧 Key characteristics

Characteristic	Description
Protocol type	Open standard, free to use
Transport layer	TCP/IP (port 502) over Ethernet
Structure	Client/server (master/slave)
Message format	Contains a Modbus PDU within a TCP frame
Scalability	Multiple clients and servers possible
Read/write operations	Registers, coils, discrete inputs

📦 Example applications

SCADA ↔ PLC communication
PLC ↔ remote I/O or variable frequency drives
Monitoring of energy or water meters
Connecting HMIs to Sensors/Actuators
Integrating existing installations with new systems

🔌 Modbus TCP vs. Modbus RTU

Aspect	Modbus TCP	Modbus RTU
Physical layer	Ethernet (RJ45, TCP/IP)	Serial (RS-232 / RS-485)
Speed	High (10/100/1000 Mbit/s)	Lower (typically 9.6–115.2 kbit/s)
Topology	Star or switched network	Bus structure
Compatibility	Modern networks and IT integration	Simple legacy systems
Addressing	IP addresses	Slave ID numbers

🏭 Examples of Modbus TCP devices

Siemens, Schneider, ABB, WAGO PLCs
HMI panels with Ethernet
I/O modules from Advantech, Beckhoff, Phoenix Contact
Smart energy meters and flow meters

✅ Benefits

Simple and robust protocol
Broadly supported by manufacturers
Open standard with no licensing fees
Easy to implement in SCADA or software platforms

🔒 Note: security

Modbus TCP itself provides no built-in security. It is therefore important to:

Use a Firewall
Segment networks (e.g. via VLAN or DMZ)
Allow Modbus communication only internally
Make use of secured variants (such as Modbus over TLS)

🔍 Deep dive: how does Modbus TCP work?

📤 1. The client sends a request

The Modbus client (master) assembles a TCP message containing:

A Modbus Application Protocol (MBAP) header (7 bytes)
A PDU (Protocol Data Unit) with:
Function code (such as ‘read register’ = 0x03)
Start address (e.g. 40001)
Number of registers to read or write

Example:

Read 4 registers starting at address 40001 (function code 0x03).

This is sent over port 502 via TCP/IP to the IP address of the Modbus TCP device.

📥 2. The server receives and processes the message

The Modbus server (slave) receives the message and performs the following:

Validates the instruction (address, type, access)
Reads or writes the requested registers or coils
Constructs a response with the requested data (or error code)

🔁 3. Response back to the client

The server sends a Modbus TCP response back over the same TCP connection. It contains:

The original MBAP header (with transaction ID)
Function code (possibly with the error bit set)
Read values or confirmation of the successful action

In case of an error (e.g. invalid address), an error code is returned with the high bit of the function code set to 1 (e.g. 0x83 = error in 0x03).

🧪 Sample exchange

Client sends: “Read 2 registers from 40001”
Server responds: “Register 40001 = 123, Register 40002 = 456”
The client processes this data for monitoring or control

🧠 Common function codes

Function code	Description
`0x01`	Read discrete outputs (coils)
`0x02`	Read discrete inputs
`0x03`	Read holding registers
`0x04`	Read input registers
`0x05`	Write single coil
`0x06`	Write single register
`0x10`	Write multiple registers

📌 In summary

Modbus TCP is a simple and widely used Ethernet protocol for communication between industrial devices. It combines the simplicity of the Modbus protocol with the speed and flexibility of modern Ethernet networks.

IT OT Convergence

Explorer

Modbus TCP