Modbus

<h2 id="protocol-description">Protocol description</h2>

Modbus standards or buses include:<a class="footnote-ref" id="fnref:8" href="#fn:8">8</a>

<ul><li>TCP/IP over Ethernet</li>
<li>Asynchronous serial communication in a wide range of standards, technologies: EIA/TIA-232-E, EIA-422, EIA/TIA-485-A, fiber, radio frequency,...</li>
<li>MODBUS PLUS, a high speed token passing network.</li></ul>

To support Modbus communication on a network, many modems and gateways incorporate proprietary designs (refer to the diagram: Architecture of a network for Modbus communication). Implementations may deploy either wireline or wireless communication, such as in the <a href="/facts/ISM_radio_band/8r8D1WB7">ISM radio band</a>, and even <a href="/facts/Short_Message_Service/kacRfW0X">Short Message Service</a> (SMS) or <a href="/facts/General_Packet_Radio_Service/c4SJD7ov">General Packet Radio Service</a> (GPRS).

<h3>PDU and ADU</h3>
Modbus defines client which is an entity that initiates a transaction to request any specific task from its request receiver.<a class="footnote-ref" id="fnref:9" href="#fn:9">9</a> The client's "request receiver", which the client has initiated the transaction with, is then called server.<a class="footnote-ref" id="fnref:10" href="#fn:10">10</a> For example, when a <a href="/facts/Microcontroller_unit/MKrnAhnm">Microcontroller unit</a> (MCU) connects to a sensor to read its data by Modbus on a wired network, e.g RS485 bus, the MCU in this context is the client and the sensor is the server. In former terminology, the client was named master and the server named slave.
Modbus defines a <a href="/facts/Protocol_data_unit/UJMVQEt9">protocol data unit</a> (PDU) independently to its lower layer protocols in its protocol stack. Mapping MODBUS protocol on specific buses or networks requires some additional fields, defined as the application data unit (ADU). The ADU is formed by a client inside a Modbus network when the client initiates a transaction. Contents are:<a class="footnote-ref" id="fnref:11" href="#fn:11">11</a>

<ul><li>PDU = Function code + data</li>
<li>ADU = Additional address + PDU + error check</li></ul>
The ADU is officially called a Modbus frame by the Modbus Organization,<a class="footnote-ref" id="fnref:12" href="#fn:12">12</a> although frame is used as the data unit in the data-link layer in the OSI and TCP/IP model (while Modbus is an application layer protocol).
PDU max size is 253 bytes. ADU max size on RS232/RS485 network is 256 bytes, and with TCP is 260 bytes.<a class="footnote-ref" id="fnref:13" href="#fn:13">13</a>
For data encoding, Modbus uses a big-endian representation for addresses and data fields. Thus, for a 16-bit value, the most significant byte is sent first. For example, when a 16-bit register has value 0x1234, byte 0x12 is sent before byte 0x34.<a class="footnote-ref" id="fnref:14" href="#fn:14">14</a>
Function code is 1 byte which gives the code of the function to execute. Function codes are integer values, ranging from 1 to 255, and the range from 128 to 255 is for exception responses.
The data field of the PDU has the address from 0 to 65535 (not to be confused with the address of the Additional address field of ADU).<a class="footnote-ref" id="fnref:15" href="#fn:15">15</a> The data field of the PDU can be empty, and then has a size of 0. In this case, the server will not request any information and the function code defines the function to be executed. If there is no error during the execution process, the data field of the ADU response from server to client will include the data requested, i.e. the data the client previously received. If there is any error, the server will respond with an exception code.<a class="footnote-ref" id="fnref:16" href="#fn:16">16</a>

<h3>Modbus transaction and PDU</h3>
A Modbus transaction between client and server includes:<a class="footnote-ref" id="fnref:17" href="#fn:17">17</a><a class="footnote-ref" id="fnref:18" href="#fn:18">18</a>

<ul><li>Step 1: Client initiates a request with PDU = Function code + data request</li>
<li>Step 2: Server receives the request from client. Server will then read/parse the function code, get the address of the data field of the PDU, then get this data field value and finally perform the action based on the function code. If there is no error during those steps, server will respond with PDU = Function code + data response. As long as there is no error during those steps, the server's responding function code will also be the function code sent from the client. If there is any error during those steps, the server will respond with PDU = Exception Function code + Exception code (Reference to PDU mb_excep_rsp_pdu defined below).</li>
<li>Step 3: Client receives the response and ends the transaction.</li></ul>
Based on that, Modbus defines 3 PDU types:<a class="footnote-ref" id="fnref:19" href="#fn:19">19</a>

<ul><li>MODBUS Request PDU, mb_req_pdu</li>
<li>MODBUS Response PDU, mb_rsp_pdu</li>
<li>MODBUS Exception Response PDU, mb_excep_rsp_pdu</li></ul>
mb_req_pdu = Function code (1 byte) + request data (n bytes)
request data field's size depends on the function code and usually includes values like variable values, data offset, and sub-function codes.<a class="footnote-ref" id="fnref:20" href="#fn:20">20</a>
mb_rsp_pdu = Function code (1 byte) + response data (n bytes)
As in mb_req_pdu, response data field's size depends on the function code and usually includes values like variable values, data offset, and sub-function codes.<a class="footnote-ref" id="fnref:21" href="#fn:21">21</a>
mb_excep_rsp_pdu = Exception Function code (1 byte) + exception code (1 byte)
Exception Function code = Function code (1 byte) + 0x80. Exception Function code is equal to the Function code, except that its MSB is set to 1.
Exception code (1 byte) of mb_excep_rsp_pdu is defined in the MODBUS Exception Codes table.
<h3>Modbus data model</h3>
Modbus defines its data model based on a series of tables of four primary types:<a class="footnote-ref" id="fnref:22" href="#fn:22">22</a>

<table><tbody><tr><th>Primary tables</th><th>Access</th><th>Size</th><th>Features</th></tr><tr><td>Discrete input</td><td>R</td><td>1 bit (0–1)</td><td>Read on/off value</td></tr><tr><td>Coil (discrete output)<a class="footnote-ref" id="fnref:23" href="#fn:23">23</a></td><td>R/W</td><td>1 bit (0–1)</td><td>Read/Write on/off value</td></tr><tr><td>Input register</td><td>R</td><td>16 bit words (0–65,535)</td><td>Read measurements and statuses</td></tr><tr><td>Holding register</td><td>R/W</td><td>16 bit words (0–65,535)</td><td>Read/Write configuration values</td></tr></tbody></table>
For each of the primary tables, the protocol allows individual selection of 65536 data items,
and the operations of read or write of those items are designed to span multiple consecutive
data items up to a data size limit which is dependent on the transaction function code.<a class="footnote-ref" id="fnref:24" href="#fn:24">24</a>

<h2 id="function-code">Function code</h2>
Modbus defines three types of function codes: Public, User-Defined and Reserved.<a class="footnote-ref" id="fnref:25" href="#fn:25">25</a>

<h3>Public function codes</h3>
<table><tbody><tr><th colspan="3">Function type</th><th>Function name</th><th>Function code</th><th>Comment</th></tr><tr><td rowspan="13">Data Access</td><td rowspan="4">Bit access</td><td>Physical Discrete Inputs</td><td>Read Discrete Inputs</td><td>2</td><td></td></tr><tr><td rowspan="3">Internal Bits or Physical Coils</td><td>Read Coils</td><td>1</td><td></td></tr><tr><td>Write Single Coil</td><td>5</td><td></td></tr><tr><td>Write Multiple Coils</td><td>15</td><td></td></tr><tr><td rowspan="7">16-bit access</td><td>Physical Input Registers</td><td>Read Input Registers</td><td>4</td><td></td></tr><tr><td rowspan="6">Internal Registers or Physical Output Registers</td><td>Read Multiple Holding Registers</td><td>3</td><td></td></tr><tr><td>Write Single Holding Register</td><td>6</td><td></td></tr><tr><td>Write Multiple Holding Registers</td><td>16</td><td></td></tr><tr><td>Read/Write Multiple Registers</td><td>23</td><td></td></tr><tr><td>Mask Write Register</td><td>22</td><td></td></tr><tr><td>Read FIFO Queue</td><td>24</td><td></td></tr><tr><td colspan="2" rowspan="2">File Record Access</td><td>Read File Record</td><td>20</td><td></td></tr><tr><td>Write File Record</td><td>21</td><td></td></tr><tr><td colspan="3" rowspan="6">Diagnostics</td><td>Read Exception Status</td><td>7</td><td>serial only</td></tr><tr><td>Diagnostic</td><td>8</td><td>serial only</td></tr><tr><td>Get Com Event Counter</td><td>11</td><td>serial only</td></tr><tr><td>Get Com Event Log</td><td>12</td><td>serial only</td></tr><tr><td>Report Server ID</td><td>17</td><td>serial only</td></tr><tr><td>Read Device Identification</td><td>43</td><td></td></tr><tr><td colspan="3">Other</td><td>Encapsulated Interface Transport</td><td>43</td><td></td></tr></tbody></table>
Note: Some sources use terminology that differs from the standard; for example Force Single Coil instead of Write Single Coil.<a class="footnote-ref" id="fnref:26" href="#fn:26">26</a>

<h4>Function code 01 (read coils) as an example of public function code</h4>
Function code 01 (read coils) allows reading the state from 1 to 2000 coils of a remote device. mb_req_pdu (request PDU) will then have 2 bytes to indicate the address of the first coil to read (from 0x0000 to 0xFFFF), and 2 bytes to indicate the number of coils to read. mb_req_pdu defines coil address by index 0, i.e the first coil has address 0x0. On a successful execution, mb_rsp_pdu will return one byte to note the function code (0x01), followed by one byte to indicate the number of data bytes it is returning (n), which will be the number of coils requested by mb_req_pdu, divided by 8 bits per byte, and rounded up. The remainder of the response will be the specified number (n) of data bytes.<a class="footnote-ref" id="fnref:27" href="#fn:27">27</a> That is, the mb_req_pdu and mb_rsp_pdu of function code 01 will take the following form:<a class="footnote-ref" id="fnref:28" href="#fn:28">28</a>

mb_req_pdu:
<ul><li>Function code: 0x01 (1 byte)</li>
<li>Starting Address (1st coil address to read): From 0x0000 to 0xFFFF (2 bytes)</li>
<li>Quantity of coils to read: Range from 1 to 2000 (0x7D0) (2 bytes)</li></ul>
mb_rsp_pdu:
<ul><li>Function code: 0x01 (1 byte)</li>
<li>Byte count: 1 byte (n=quantity of coils/8, rounded up)</li>
<li>Coil Status: n bytes</li></ul>
For instance, mb_req_pdu and mb_rsp_pdu to read coils status from 20-38 will be:<a class="footnote-ref" id="fnref:29" href="#fn:29">29</a>

mb_req_pdu:
<ul><li>Function code: 0x01</li>
<li>Starting Address High byte: 0x00</li>
<li>Starting Address Low byte: 0x13</li>
<li>Quantity of Outputs High byte: 0x00</li>
<li>Quantity of Outputs Low byte: 0x13</li></ul>
Starting Address (2 bytes) is 0x0013, (or 19 in decimal) which is the 20th coil.
Quantity of Outputs (2 bytes) is 0x0013, (or 19 in decimal) which corresponds to 19 values of status of coils 20th to 38th.
mb_rsp_pdu:
<ul><li>Function code: 0x01</li>
<li>Byte Count: 0x03</li>
<li>Outputs status 27-20: 0xCD</li>
<li>Outputs status 35-28: 0x6B</li>
<li>Outputs status 38-36: 0x05</li></ul>
As 19 coils (20-38) are required, 3 bytes is used to indicate the coil's state. So that Byte Count is 0x03. States of coil from 20 to 27 is 0xCD, which is 1100 1101 in binary. So coil 27 is MSb, and coil 20 is LSb. Same for coil 28 to 35. With coil from 36 to 38, the state will be 0x05, which is 0000 0101. Coil 38 state is the 3rd bit (count from the right), i.e 1, coil 37 is 0, and coil 36 state is LSb bit, i.e. 1. 5 left bits are all 0.
<h3>User-defined function codes</h3>
User-Defined Function Codes are function codes defined by users. Modbus gives two range of values for user-defined function codes: 65 to 72 and 100 to 110. Obviously, user-defined function codes are not unique.<a class="footnote-ref" id="fnref:30" href="#fn:30">30</a>

<h3>Reserved function codes</h3>
Reserved Function Codes are function codes used by some companies for legacy product and are not available for public use.<a class="footnote-ref" id="fnref:31" href="#fn:31">31</a>

<h2 id="exception-responses">Exception responses</h2>
When a client sends a request to a server, there can be four possible events for that request:<a class="footnote-ref" id="fnref:32" href="#fn:32">32</a>

<ul><li>If server receives the request and execute successfully, server will return a normal response.</li>
<li>If server cannot receive the request as having communication channel error, server will not respond anything to the client. Client will then have the timeout request error.</li>
<li>If server receives the request and detect an error on the communication channel (e.g parity, LRC, CRC), server will not response anything to the client. Client will then have the timeout request error.</li>
<li>If server receives the request and is unable to execute it (e.g client requests to read a non-existent register), server will return an exception response to client to indicate the nature of the error.</li></ul>
Exception response message includes two other fields when compared to a normal response message:<a class="footnote-ref" id="fnref:33" href="#fn:33">33</a>

<ul><li>Function Code: Function code's MSB bit of Exception is 1. This will make this function code 0x80 higher than then request message function code.</li>
<li>Data: Server returns the exception code inside the Data field. This field defines the nature of the error.</li></ul>
All Modbus exception code:<a class="footnote-ref" id="fnref:34" href="#fn:34">34</a>

<table><tbody><tr><th>Code</th><th>Text</th><th>Details</th></tr><tr><td>1</td><td>Illegal Function</td><td>Function code received in the query is not recognized or allowed by server</td></tr><tr><td>2</td><td>Illegal Data Address</td><td>Data address of some or all the required entities are not allowed or do not exist in server</td></tr><tr><td>3</td><td>Illegal Data Value</td><td>Value is not accepted by server</td></tr><tr><td>4</td><td>Server Device Failure</td><td>Unrecoverable error occurred while server was attempting to perform requested action</td></tr><tr><td>5</td><td>Acknowledge</td><td>Server has accepted request and is processing it, but a long duration of time is required. This response is returned to prevent a timeout error from occurring in the client. client can next issue a Poll Program Complete message to determine whether processing is completed</td></tr><tr><td>6</td><td>Server Device Busy</td><td>Server is engaged in processing a long-duration command; client should retry later</td></tr><tr><td>7</td><td>Negative Acknowledge</td><td>Server cannot perform the programming functions; client should request diagnostic or error information from server</td></tr><tr><td>8</td><td>Memory Parity Error</td><td>Server detected a parity error in memory; client can retry the request</td></tr><tr><td>10</td><td>Gateway Path Unavailable</td><td>Specialized for Modbus gateways: indicates a misconfigured gateway</td></tr><tr><td>11</td><td>Gateway Target Device Failed to Respond</td><td>Specialized for Modbus gateways: sent when server fails to respond</td></tr></tbody></table>
<h2 id="modbus-over-serial-line-protocol">Modbus over Serial Line protocol</h2>
Modbus standard also defines Modbus over Serial Line, a protocol over the <a href="/facts/Data_link_layer/K9yPufbt">data link layer</a> of the OSI model for the Modbus application layer protocol to be communicated over a <a href="/facts/Serial_communication/r5xP7P1c">serial bus</a>.<a class="footnote-ref" id="fnref:35" href="#fn:35">35</a> Modbus Serial Line protocol is a <a href="/facts/Master-slave_protocol/8APze020">master-slave protocol</a> which supports one master and multiple slaves in the serial bus.<a class="footnote-ref" id="fnref:36" href="#fn:36">36</a> With Modbus protocol on the application layer, client/server model is used for the devices on the communication channel. With Modbus over Serial Line, client's role is implemented by master, and the server's role is implemented by slave.<a class="footnote-ref" id="fnref:37" href="#fn:37">37</a><a class="footnote-ref" id="fnref:38" href="#fn:38">38</a>
The organization's naming convention inverts the common usage of having multiple clients and only one server. To avoid this confusion, the RS-485 transport layer uses the terms "node" or "device" instead of "server", and the "client" is not a "node".<a class="footnote-ref" id="fnref:39" href="#fn:39">39</a>

The (Modbus Organization) is using "client-server" to describe Modbus communications, characterized by communication between [client device (s), which initiates communication and makes requests of server device(s), which process requests and return an appropriate response (or error message).
A serial bus for Modbus over Serial Line can have a maximum of 247 slaves communicating with one master. Those slaves have a unique address ranging from 1 to 247 (decimal value).<a class="footnote-ref" id="fnref:40" href="#fn:40">40</a> The master doesn't need to have an address.<a class="footnote-ref" id="fnref:41" href="#fn:41">41</a> The communication process is initiated by the master, as only it can initiate a Modbus transaction. A slave will never transmit any data or perform any action without a request from the master, and slaves cannot communicate with each other.<a class="footnote-ref" id="fnref:42" href="#fn:42">42</a>
In Modbus over Serial Line, the master initiates requests to the slaves in unicast or broadcast modes. In unicast mode, the master will initiate a request to a single slave with a specific address. Upon receiving and finishing the request, the slave will respond with a message to the master.<a class="footnote-ref" id="fnref:43" href="#fn:43">43</a> In this mode, a Modbus transaction includes two messages: one request from the master and one reply from the slave. Each slave must have a unique address (from 1 to 247) to be addressed independently for the communication.<a class="footnote-ref" id="fnref:44" href="#fn:44">44</a> In broadcast mode, the master can send a request to all the slaves, using the broadcast address 0,<a class="footnote-ref" id="fnref:45" href="#fn:45">45</a> which is the address reserved for broadcast exchanges (and not the master address). Slaves must accept broadcast exchanges but must not respond.<a class="footnote-ref" id="fnref:46" href="#fn:46">46</a>
The mapping of PDU of Modbus to the serial bus of Modbus over Serial Line protocol results in Modbus Serial Line PDU.<a class="footnote-ref" id="fnref:47" href="#fn:47">47</a>
Modbus Serial Line PDU = Address + PDU + CRC (or LRC)
With PDU = Function code + data

<ul><li>Address is slave address</li>
<li>PDU is defined identically to the PDU of Modbus Application protocol</li>
<li>The Error check field with CRC/LRC: The error check methods depend on the protocol versions of the MODBUS over Serial Line, whether it is Modbus RTU or Modbus ASCII.</li></ul>
On the <a href="/facts/Physical_layer/WuATCrVw">physical layer</a>, MODBUS over Serial Line performs its communication on bit by <a href="/facts/RS485/YEABejzm">RS485</a> or <a href="/facts/RS-232/NCpvGuyq">RS232</a>, with TIA/EIA-485 Two-Wire interface as the most popular way. RS485 Four-Wire interface is also used. TIA/EIA-232-E (RS232) can also be used but is limited to point-to-point short-range communication.<a class="footnote-ref" id="fnref:48" href="#fn:48">48</a> MODBUS over Serial Line has two transmission modes RTU and ASCII which are corresponded to two versions of the protocol, known as Modbus RTU and Modbus ASCII.<a class="footnote-ref" id="fnref:49" href="#fn:49">49</a>

<h3>Modbus RTU</h3>
Modbus RTU (Remote Terminal Unit), which is the most common implementation available for Modbus, makes use of a compact, binary representation of the data for protocol communication. The RTU format follows the commands/data with a <a href="/facts/Cyclic_redundancy_check/u2exo4sv">cyclic redundancy check</a> checksum as an error check mechanism to ensure the reliability of data. A Modbus RTU message must be transmitted continuously without inter-character hesitations. Modbus messages are framed (separated) by idle (silent) periods. Each byte (8 bits) of data is sent as 11 bits:<a class="footnote-ref" id="fnref:50" href="#fn:50">50</a><a class="footnote-ref" id="fnref:51" href="#fn:51">51</a>

<ul><li>1 start bit</li>
<li>8 bit data/message, least significant bit sent first</li>
<li>1 bit parity</li>
<li>1 stop bit</li></ul>
The default is even parity, while odd or no parity may be implemented as additional options.<a class="footnote-ref" id="fnref:52" href="#fn:52">52</a>
A Modbus RTU frame then will be:<a class="footnote-ref" id="fnref:53" href="#fn:53">53</a>

<table><tbody><tr><th>Slave address</th><th>Function Code</th><th>Data</th><th>CRC</th></tr><tr><td>1 byte</td><td>1 byte</td><td>0 – 252 bytes</td><td>2 bytes: 1 CRC low byte and 1 CRC high byte</td></tr></tbody></table>
The CRC calculation is widely known as CRC-16-MODBUS, whose polynomial is x16 + x15 + x2 + 1 (normal hexadecimal algebraic polynomial being 8005 and reversed A001).<a class="footnote-ref" id="fnref:54" href="#fn:54">54</a>
Example of a Modbus RTU frame in hexadecimal: 01 04 02 FF FF B8 80 (CRC-16-MODBUS calculation for the 5 bytes from 01 to FF gives 80B8, which is transmitted least significant byte first).
To ensure frame integrity during the transmission, the time interval between two frames must be at least the transmission time of 3.5 characters, and the time interval between two consecutive characters must be no more than the transmission time of 1.5 characters.<a class="footnote-ref" id="fnref:55" href="#fn:55">55</a> For example, with the default data rate of 19200 bit/s, the transmission times of 3.5 (t3.5) and 1.5 (t1.5) 11-bit characters are:

 
 
 
 t
 3.5
 =
 3.5
 ∗
 
 (
 
 
 
 11
 ∗
 1000
 
 19200
 
 
 )
 
 =
 2.005
 m
 s
 
 
 {\displaystyle t3.5=3.5*\left({\frac {11*1000}{19200}}\right)=2.005ms}

t
 1.5
 =
 1.5
 ∗
 
 (
 
 
 
 11
 ∗
 
 10
 
 6
 
 
 
 19200
 
 
 )
 
 =
 859.375
 μ
 s
 
 
 {\displaystyle t1.5=1.5*\left({\frac {11*10^{6}}{19200}}\right)=859.375\mu s}

For higher data rates, Modbus RTU recommends to use the fixed values 750 μs for t1.5 and 1.750 ms for t3.5.<a class="footnote-ref" id="fnref:56" href="#fn:56">56</a>

<h3>Modbus ASCII</h3>
Modbus ASCII makes use of <a href="/facts/ASCII/vGUI33Qu">ASCII</a> characters for protocol communication. The ASCII format uses a <a href="/facts/Longitudinal_redundancy_check/vGoJjpjR">longitudinal redundancy check</a> checksum. Modbus ASCII messages are framed by a leading colon (":") and trailing newline (CR/LF).
A Modbus ASCII frame includes:<a class="footnote-ref" id="fnref:57" href="#fn:57">57</a>

<table><tbody><tr><th>Name</th><th>Length (bytes)</th><th>Function</th></tr><tr><th>Start</th><td>1</td><td>Colon : (<a href="/facts/ASCII/vGUI33Qu">ASCII</a> value 3A16)</td></tr><tr><th>Address</th><td>2</td><td>Station address</td></tr><tr><th>Function</th><td>2</td><td>Indicates the function code e.g. "read coils"</td></tr><tr><th>Data</th><td>n × 2</td><td>Data + length will be filled depending on the message type</td></tr><tr><th>LRC</th><td>2</td><td><a href="/facts/Checksum/AqxQ0I8g">Checksum</a> (<a href="/facts/Longitudinal_redundancy_check/vGoJjpjR">longitudinal redundancy check</a>)</td></tr><tr><th>End</th><td>2</td><td>Carriage return + line feed (CR/LF) pair (ASCII values 0D16 and 0A16)</td></tr></tbody></table>
Address, Function, Data, and LRC are ASCII hexadecimal encoded values, whereby 8-bit values (0–255) are encoded as two human-readable ASCII characters from the ranges 0–9 and A–F. For example, a value of 122 (7A16) is encoded as two ASCII characters, "7" and "A", and transmitted as two bytes, 55 (3716, ASCII value for "7") and 65 (4116, ASCII value for "A").
LRC is calculated as the sum of 8-bit values (excluding the start and end characters), negated (<a href="/facts/Two%27s_complement/xhjYpnsc">two's complement</a>) and encoded as an 8-bit value. For example, if Address, Function, and Data are 247, 3, 19, 137, 0, and 10, the two's complement of their sum (416) is −416; this trimmed to 8 bits is 96 (256 × 2 − 416 = 6016), giving the following 17 ASCII character frame: :F7031389000A60␍␊. LRC is specified for use only as a checksum: because it is calculated on the encoded data rather than the transmitted characters, its 'longitudinal' characteristic is not available for use with parity bits to locate single-bit errors.

<h2 id="modbus-messaging-on-tcpip">Modbus Messaging on TCP/IP</h2>
<h3>Modbus TCP</h3>
Modbus TCP or Modbus TCP/IP is a Modbus variant used for communications over <a href="/facts/TCP/IP/KNkxtSpw">TCP/IP</a> networks, connecting over port 502.<a class="footnote-ref" id="fnref:58" href="#fn:58">58</a> It does not require a checksum calculation, as lower layers already provide checksum protection.
Modbus TCP nomenclature is the same as for the Modbus over Serial line protocol, as any device which send out a Modbus command, is the 'client' and the response comes from a 'server'.<a class="footnote-ref" id="fnref:59" href="#fn:59">59</a>
The ADU for Modbus TCP is officially called Modbus TCP/IP ADU by the Modbus organization<a class="footnote-ref" id="fnref:60" href="#fn:60">60</a> and is also called Modbus TCP frame by other parties.<a class="footnote-ref" id="fnref:61" href="#fn:61">61</a> 
MODBUS TCP/IP ADU = MBAP Header + Function code + Data 
Where MBAP - which stands for MODBUS Application Protocol header - is the dedicated header used on TCP/IP to identify the MODBUS Application Data Unit. 
The MBAP Header contains the following fields:<a class="footnote-ref" id="fnref:62" href="#fn:62">62</a> 

<table><tbody><tr><th>Name</th><th>Length (bytes)</th><th>Function</th></tr><tr><th>Transaction identifier</th><td>2</td><td>For synchronization between messages of server and client</td></tr><tr><th>Protocol identifier</th><td>2</td><td>0 for Modbus/TCP</td></tr><tr><th>Length field</th><td>2</td><td>Number of remaining bytes in this frame</td></tr><tr><th>Unit identifier</th><td>1</td><td>Server address (255 if not used), treated like slave address in Modbus over Serial line</td></tr></tbody></table>
Unit identifier is used with Modbus TCP devices that are composites of several Modbus devices, e.g. Modbus TCP to Modbus RTU gateways. In such a case, the unit identifier is the Server Address of the device behind the gateway.
A MODBUS TCP/IP ADU/Modbus TCP frame format then will be:<a class="footnote-ref" id="fnref:63" href="#fn:63">63</a><a class="footnote-ref" id="fnref:64" href="#fn:64">64</a>

<table><tbody><tr><th>Transaction identifier</th><th>Protocol identifier</th><th>Length</th><th>Unit identifier</th><th>Function code</th><th>Data</th></tr><tr><td>2 bytes</td><td>2 bytes</td><td>2 bytes</td><td>1 byte</td><td>1 byte</td><td>n bytes</td></tr></tbody></table>
<h4>Example of a Modbus TCP/IP ADU/Modbus TCP frame in hexadecimal</h4>
12 34 00 00 00 06 01 03 00 01 00 01 

<ul><li>0x12 and 0x34 : With transaction ID = 0x1234 (2 bytes) as a "unique number" to be identified between the Modbus TCP client/server, the transaction ID High byte is 0x12 and transaction ID Low byte is 0x34</li>
<li>0x00 and 0x00 : Protocol identifier high byte and low byte</li>
<li>0x00 and 0x06 : Length high byte and low byte. The length is 6 bytes which includes: unit identifier (slave address) (1 byte), function code (1 byte), high byte of the register address to read (1 byte), low byte of the register address to read (1 byte) and data (2 bytes = high byte and low byte of the number of registers to read)</li>
<li>0x01 : Unit identifier (slave address)</li>
<li>0x03 : Function code (Read Multiple Holding Registers)</li>
<li>0x00 and 0x01 : high byte and low byte of the register address to read. The register address to read in this case is 0x0001.</li>
<li>0x00 and 0x01 : high byte and low byte of the number of registers to read. The number of registers to read in this case is 0x0001. (i.e 1 register)</li></ul>
<h3>Other Modbus protocol versions over TCP/IP</h3>
<ul><li>Modbus over TCP/IP, Modbus over TCP, or Modbus RTU/IP – a variant that differs from Modbus TCP in that a checksum is included in the payload, as with Modbus RTU.</li>
<li>Modbus over UDP – some have experimented with using Modbus over <a href="/facts/User_Datagram_Protocol/dxLU0D6q">UDP</a> on IP networks, which removes the overhead of TCP.<a class="footnote-ref" id="fnref:65" href="#fn:65">65</a></li></ul>
<h2 id="other-modbus-protocol-versions">Other Modbus protocol versions</h2>
Besides the widely used Modbus RTU, Modbus ASCII and Modbus TCP, there are many variants of Modbus protocols:

<ul><li>Modbus Plus (Modbus+, MB+, or MBP) – Modbus Plus is proprietary to <a href="/facts/Schneider_Electric/8DEQxsAw">Schneider Electric</a>, though it is unpublished rather than patented, and unlike the other variants, it supports <a href="/facts/Peer-to-peer/wCCdPb0H">peer-to-peer</a> communications between multiple clients.<a class="footnote-ref" id="fnref:66" href="#fn:66">66</a> Despite the name, Modbus Plus<a class="footnote-ref" id="fnref:67" href="#fn:67">67</a> is not a variant of Modbus. It is a different <a href="/facts/Communications_protocol/5uady7cB">protocol</a>, involving <a href="/facts/Token_passing/9cw7bA4f">token passing</a>. It requires a dedicated co-processor to handle fast <a href="/facts/High-Level_Data_Link_Control/aTndRUQ3">HDLC</a>-like token rotation. It uses twisted pair at 1 Mbit/s and includes transformer isolation at each node, which makes it transition/edge-triggered instead of voltage/level-triggered. Special hardware is required to connect Modbus Plus to a computer, typically a card made for the <a href="/facts/Industry_Standard_Architecture/5Rk4bjqB">ISA</a>, <a href="/facts/Peripheral_Component_Interconnect/n6CGuFvP">PCI</a>, or <a href="/facts/PC_Card/Dt0get4l">PCMCIA</a> bus. Modbus Plus is normally implemented using a custom <a href="/facts/Chipset/0xU3kbVI">chipset</a> available only to partners of Schneider.</li>
<li>Pemex Modbus – an extension of standard Modbus with support for historical and flow data. It was designed for the <a href="/facts/Pemex/WEomyJXC">Pemex</a> oil and gas company for use in process control and never gained widespread adoption.</li>
<li>Enron Modbus – another extension of standard Modbus developed by <a href="/facts/Enron/NxH90ght">Enron</a> with support for 32-bit integer and floating-point variables, and historical and flow data. Data types are mapped using standard addresses.<a class="footnote-ref" id="fnref:68" href="#fn:68">68</a> The historical data serves to meet an <a href="/facts/American_Petroleum_Institute/AfgA8q7K">American Petroleum Institute</a> (API) industry standard for how data should be stored.</li></ul>
Data models and function calls are identical for the first four variants listed above; only the encapsulation is different. However the variants are not interoperable, nor are the frame formats.

<h3>JBUS mapping</h3>
Another de facto protocol closely related to Modbus appeared later, and was defined by <a href="/facts/Programmable_logic_controller/bqh0GAdb">PLC</a> maker April Automates, the result of a collaborative effort between French companies <a href="/facts/Renault/obzoLxSN">Renault</a> Automation and <a href="/facts/Merlin_Gerin/8DEQxsAw">Merlin Gerin</a> et Cie in 1985: JBUS. Differences between Modbus and JBUS at that time (number of entities, server stations) are now irrelevant as this protocol almost disappeared with the April PLC series, which AEG Schneider Automation bought in 1994 and then made obsolete. However, the name JBUS has survived to some extent.
JBUS supports function codes 1, 2, 3, 4, 5, 6, 15, and 16 and thus all the entities described above, although numbering is different:

<ul><li>Number and address coincide: entity #x has address x in the data frame.</li>
<li>Consequently, entity number does not include the entity type. For example, holding register #40010 in Modbus will be holding register #9, at address 9 in JBUS.</li>
<li>Number 0 (and thus address 0) is not supported. The server should not implement any real data at this number and address, and it can return a null value or throw an error when requested.</li></ul>
<h2 id="limitations">Limitations</h2>
<ul><li>Since Modbus was designed in the late 1970s to communicate to programmable logic controllers, the number of data types is limited to those understood by PLCs at the time. Large binary objects are not supported.</li>
<li>No standard way exists for a node to find the description of a data object, for example, to learn that a register value represents a temperature between 30 and 175 degrees.</li>
<li>Since Modbus is a client/server (formerly master/slave) protocol,<a class="footnote-ref" id="fnref:69" href="#fn:69">69</a> there is no way for a field device to get data by the event handler mechanism (except over Ethernet TCP/IP, called open-mbus) as the client node must routinely poll each field device and look for changes in the data. This consumes <a href="/facts/Bandwidth_(computing)/lY6Tb4gX">bandwidth</a> and network time in applications where bandwidth may be expensive, such as over a low-bit-rate radio link.</li>
<li>Modbus is restricted to addressing 247 devices on one data link, which limits the number of field devices that may be connected to a parent station (again, Ethernet TCP/IP is an exception).</li>
<li>Modbus protocol itself provides no security against unauthorized commands or interception of data.<a class="footnote-ref" id="fnref:70" href="#fn:70">70</a></li></ul>
<h2 id="see-also">See also</h2>
<ul><li><a href="/facts/BACnet/145nwCv2">BACnet</a></li>
<li><a href="/facts/CAN_bus/EGxoS88W">CAN bus</a></li>
<li><a href="/facts/LonWorks/IgkozrtT">LonWorks</a></li>
<li><a href="/facts/Industrial_Ethernet/IsB9Hwca">Industrial ethernet</a></li></ul>

<h3>Works cited</h3>
<ul><li>MODBUS Application Protocol (2012). <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf">Modbus application protocol specification V1.1b3</a> (PDF). The Modbus Organization. Retrieved 2023-10-10.</li>
<li>MODBUS over Serial Line protocol (2006). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf">MODBUS over Serial Line Specification & Implementation guide V1.02</a> (PDF).</li>
<li>MODBUS Messaging on TCP/IP (2006). <a href="https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf">MODBUS Messaging on TCP/IP Implementation Guide V1.0b</a> (PDF). Modbus Organization.</li>
<li>MODICON, Inc. (1996). <a href="https://modbus.org/docs/PI_MBUS_300.pdf">Modicon Modbus Protocol Reference Guide/Modbus Over Serial Line (for legacy application only)</a> (PDF).</li></ul>
<h2 id="external-links">External links</h2>
<ul><li><a href="https://modbus.org/">Modbus Organization website</a></li></ul>
<h3>Specifications</h3>
<ul><li><a href="https://modbus.org/">Modbus Organization</a> – links to protocol specifications</li>
<li><a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf">Modbus over serial line V1.02</a> – Modbus Organization (2006)</li>
<li><a href="https://modbus.org/docs/PI_MBUS_300.pdf">Modicon Modbus Protocol Reference Guide</a> – Modbus Organization (1996). This is an obsolete Modbus specification, should only be used to address legacy issues.</li></ul>
<h3>Other</h3>
<ul><li><a href="http://www.modbusbacnet.com/includes/pdf/MODBUS_2010Nov12.pdf">Modbus for Field Technicians</a> at modbusbacnet.com</li>
<li><a href="https://www.rfwireless-world.com/Tutorials/Modbus-Protocol-tutorial.html">Modbus tutorial</a> at RF Wireless World</li></ul>

<h2 id="references">References</h2>

<ol>
<li id="fn:1">MODBUS Application Protocol 2012, p. 2. - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></li>
<li id="fn:2">MODICON, Inc. 1996, "Preface" - MODICON, Inc. (1996). Modicon Modbus Protocol Reference Guide/Modbus Over Serial Line (for legacy application only) (PDF). <a href="https://modbus.org/docs/PI_MBUS_300.pdf" target="_blank">https://modbus.org/docs/PI_MBUS_300.pdf</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></li>
<li id="fn:3">Drury, Bill (2009). Control Techniques Drives and Controls Handbook (PDF) (2nd ed.). Institution of Engineering and Technology. pp. 508–. <a href="https://app.knovel.com/kn/resources/kpCTDCHE08/toc" target="_blank">https://app.knovel.com/kn/resources/kpCTDCHE08/toc</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></li>
<li id="fn:4">MODBUS Application Protocol 2012, p. 2. - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></li>
<li id="fn:5">MODBUS Application Protocol 2012, p. 2. - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></li>
<li id="fn:6">"Modbus FAQ". Modbus. Modbus Organization, Inc. Retrieved 1 November 2012. <a href="https://modbus.org/faq.php" target="_blank">https://modbus.org/faq.php</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></li>
<li id="fn:7">"About Modbus Organization". Modbus. Modbus Organization, Inc. Retrieved 8 November 2012. <a href="https://modbus.org/about_us.php" target="_blank">https://modbus.org/about_us.php</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></li>
<li id="fn:8">MODBUS Application Protocol 2012, p. 2. - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></li>
<li id="fn:9">MODBUS Application Protocol 2012, p. 4, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></li>
<li id="fn:10">MODBUS Application Protocol 2012, p. 4, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></li>
<li id="fn:11">MODBUS Application Protocol 2012, p. 3, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></li>
<li id="fn:12">MODBUS Application Protocol 2012, p. 3, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></li>
<li id="fn:13">MODBUS Application Protocol 2012, p. 5, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></li>
<li id="fn:14">MODBUS Application Protocol 2012, p. 5, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></li>
<li id="fn:15">MODBUS Application Protocol 2012, p. 7, "4.4 MODBUS Addressing model" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></li>
<li id="fn:16">MODBUS Application Protocol 2012, p. 4, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></li>
<li id="fn:17">MODBUS Application Protocol 2012, p. 4, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></li>
<li id="fn:18">MODBUS Application Protocol 2012, p. 9, "Figure 9 MODBUS Transaction state diagram" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></li>
<li id="fn:19">MODBUS Application Protocol 2012, p. 5, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></li>
<li id="fn:20">MODBUS Application Protocol 2012, p. 5, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:20" class="footnote-back-ref">↩</a></li>
<li id="fn:21">MODBUS Application Protocol 2012, p. 5, "4.1 Protocol description" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:21" class="footnote-back-ref">↩</a></li>
<li id="fn:22">MODBUS Application Protocol 2012, p. 6, "4.3 MODBUS Data model" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:22" class="footnote-back-ref">↩</a></li>
<li id="fn:23">"Modpoll Modbus Master Simulator". modbusdriver.com. Retrieved 2023-10-13"-t 0" is for "Discrete output (coil) data type"{{cite web}}: CS1 maint: postscript (link) <a href="https://www.modbusdriver.com/modpoll.html" target="_blank">https://www.modbusdriver.com/modpoll.html</a> <a href="#fnref:23" class="footnote-back-ref">↩</a></li>
<li id="fn:24">MODBUS Application Protocol 2012, p. 6, "4.3 MODBUS Data model" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:24" class="footnote-back-ref">↩</a></li>
<li id="fn:25">MODBUS Application Protocol 2012, p. 10, "5 Function Code Categories" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:25" class="footnote-back-ref">↩</a></li>
<li id="fn:26">Clarke, Gordon; Reynders, Deon (2004). Practical Modern Scada Protocols: Dnp3, 60870.5 and Related Systems. Newnes. pp. 47–51. ISBN 0-7506-5799-5. <a href="0-7506-5799-5" target="_blank">0-7506-5799-5</a> <a href="#fnref:26" class="footnote-back-ref">↩</a></li>
<li id="fn:27">MODBUS Application Protocol 2012, p. 11 - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:27" class="footnote-back-ref">↩</a></li>
<li id="fn:28">MODBUS Application Protocol 2012, p. 11 - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:28" class="footnote-back-ref">↩</a></li>
<li id="fn:29">MODBUS Application Protocol 2012, p. 12, "6.1 01 (0x01) Read Coils" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:29" class="footnote-back-ref">↩</a></li>
<li id="fn:30">MODBUS Application Protocol 2012, p. 10, "5 Function Code Categories" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:30" class="footnote-back-ref">↩</a></li>
<li id="fn:31">MODBUS Application Protocol 2012, p. 10, "5 Function Code Categories" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:31" class="footnote-back-ref">↩</a></li>
<li id="fn:32">MODBUS Application Protocol 2012, p. 47, "7 MODBUS Exception Responses" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:32" class="footnote-back-ref">↩</a></li>
<li id="fn:33">MODBUS Application Protocol 2012, p. 47, "7 MODBUS Exception Responses" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:33" class="footnote-back-ref">↩</a></li>
<li id="fn:34">MODBUS Application Protocol 2012, p. 48, "7 MODBUS Exception Responses" - MODBUS Application Protocol (2012). Modbus application protocol specification V1.1b3 (PDF). The Modbus Organization. Retrieved 2023-10-10. <a href="https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf" target="_blank">https://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf</a> <a href="#fnref:34" class="footnote-back-ref">↩</a></li>
<li id="fn:35">MODBUS over Serial Line protocol 2006, p. 4 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:35" class="footnote-back-ref">↩</a></li>
<li id="fn:36">MODBUS over Serial Line protocol 2006, p. 5 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:36" class="footnote-back-ref">↩</a></li>
<li id="fn:37">MODBUS over Serial Line protocol 2006, p. 5 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:37" class="footnote-back-ref">↩</a></li>
<li id="fn:38">"Modbus Organization Replaces Master-Slave with Client-Server (press release)" (PDF). modbus.org. 9 July 2020. Retrieved 11 July 2023. <a href="https://modbus.org/docs/Client-ServerPR-07-2020-final.docx.pdf" target="_blank">https://modbus.org/docs/Client-ServerPR-07-2020-final.docx.pdf</a> <a href="#fnref:38" class="footnote-back-ref">↩</a></li>
<li id="fn:39">"Modbus Organization Replaces Master-Slave with Client-Server (press release)" (PDF). modbus.org. 9 July 2020. Retrieved 11 July 2023. <a href="https://modbus.org/docs/Client-ServerPR-07-2020-final.docx.pdf" target="_blank">https://modbus.org/docs/Client-ServerPR-07-2020-final.docx.pdf</a> <a href="#fnref:39" class="footnote-back-ref">↩</a></li>
<li id="fn:40">MODBUS over Serial Line protocol 2006, p. 8 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:40" class="footnote-back-ref">↩</a></li>
<li id="fn:41">MODBUS over Serial Line protocol 2006, p. 8 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:41" class="footnote-back-ref">↩</a></li>
<li id="fn:42">MODBUS over Serial Line protocol 2006, p. 7 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:42" class="footnote-back-ref">↩</a></li>
<li id="fn:43">MODBUS over Serial Line protocol 2006, p. 8 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:43" class="footnote-back-ref">↩</a></li>
<li id="fn:44">MODBUS over Serial Line protocol 2006, p. 8 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:44" class="footnote-back-ref">↩</a></li>
<li id="fn:45">MODBUS over Serial Line protocol 2006, p. 8 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:45" class="footnote-back-ref">↩</a></li>
<li id="fn:46">MODBUS over Serial Line protocol 2006, p. 7 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:46" class="footnote-back-ref">↩</a></li>
<li id="fn:47">MODBUS over Serial Line protocol 2006, p. 8 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:47" class="footnote-back-ref">↩</a></li>
<li id="fn:48">MODBUS over Serial Line protocol 2006, p. 5 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:48" class="footnote-back-ref">↩</a></li>
<li id="fn:49">MODBUS over Serial Line protocol 2006, p. 12 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:49" class="footnote-back-ref">↩</a></li>
<li id="fn:50">Drury, Bill (2009). Control Techniques Drives and Controls Handbook (PDF) (2nd ed.). Institution of Engineering and Technology. pp. 508–. <a href="https://app.knovel.com/kn/resources/kpCTDCHE08/toc" target="_blank">https://app.knovel.com/kn/resources/kpCTDCHE08/toc</a> <a href="#fnref:50" class="footnote-back-ref">↩</a></li>
<li id="fn:51">MODBUS over Serial Line protocol 2006, p. 12 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:51" class="footnote-back-ref">↩</a></li>
<li id="fn:52">MODBUS over Serial Line protocol 2006, p. 12 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:52" class="footnote-back-ref">↩</a></li>
<li id="fn:53">MODBUS over Serial Line protocol 2006, p. 13, "2.5.1.1 MODBUS Message RTU Framing" - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:53" class="footnote-back-ref">↩</a></li>
<li id="fn:54">MODBUS over Serial Line protocol 2006, p. 39 - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:54" class="footnote-back-ref">↩</a></li>
<li id="fn:55">MODBUS over Serial Line protocol 2006, p. 13, "2.5.1.1 MODBUS Message RTU Framing" - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:55" class="footnote-back-ref">↩</a></li>
<li id="fn:56">MODBUS over Serial Line protocol 2006, p. 13, "2.5.1.1 MODBUS Message RTU Framing" - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:56" class="footnote-back-ref">↩</a></li>
<li id="fn:57">MODBUS over Serial Line protocol 2006, p. 17, "2.5.2.1 MODBUS Message ASCII Framing" - MODBUS over Serial Line protocol (2006). MODBUS over Serial Line Specification & Implementation guide V1.02 (PDF). <a href="https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf" target="_blank">https://modbus.org/docs/Modbus_over_serial_line_V1_02.pdf</a> <a href="#fnref:57" class="footnote-back-ref">↩</a></li>
<li id="fn:58">MODBUS Messaging on TCP/IP 2006, p. 6 - MODBUS Messaging on TCP/IP (2006). MODBUS Messaging on TCP/IP Implementation Guide V1.0b (PDF). Modbus Organization. <a href="https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf" target="_blank">https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf</a> <a href="#fnref:58" class="footnote-back-ref">↩</a></li>
<li id="fn:59">Prat, Jérôme (13 February 2017). "Crash Course: Client/Server/Master/Slave". ProSoft Technology. Retrieved 2022-10-17. <a href="https://www.prosoft-technology.com/insights/technology-focus/#" target="_blank">https://www.prosoft-technology.com/insights/technology-focus/#</a> <a href="#fnref:59" class="footnote-back-ref">↩</a></li>
<li id="fn:60">MODBUS Messaging on TCP/IP 2006, p. 4, "3.1.2 MODBUS On TCP/IP Application Data Unit" - MODBUS Messaging on TCP/IP (2006). MODBUS Messaging on TCP/IP Implementation Guide V1.0b (PDF). Modbus Organization. <a href="https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf" target="_blank">https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf</a> <a href="#fnref:60" class="footnote-back-ref">↩</a></li>
<li id="fn:61">Drury, Bill (2009). Control Techniques Drives and Controls Handbook (PDF) (2nd ed.). Institution of Engineering and Technology. pp. 508–. <a href="https://app.knovel.com/kn/resources/kpCTDCHE08/toc" target="_blank">https://app.knovel.com/kn/resources/kpCTDCHE08/toc</a> <a href="#fnref:61" class="footnote-back-ref">↩</a></li>
<li id="fn:62">MODBUS Messaging on TCP/IP 2006, p. 5, "3.1.3 MBAP Header description" - MODBUS Messaging on TCP/IP (2006). MODBUS Messaging on TCP/IP Implementation Guide V1.0b (PDF). Modbus Organization. <a href="https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf" target="_blank">https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf</a> <a href="#fnref:62" class="footnote-back-ref">↩</a></li>
<li id="fn:63">MODBUS Messaging on TCP/IP 2006, p. 5, "3.1.3 MBAP Header description" - MODBUS Messaging on TCP/IP (2006). MODBUS Messaging on TCP/IP Implementation Guide V1.0b (PDF). Modbus Organization. <a href="https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf" target="_blank">https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf</a> <a href="#fnref:63" class="footnote-back-ref">↩</a></li>
<li id="fn:64">MODBUS Messaging on TCP/IP 2006, p. 4, "3.1.2 MODBUS On TCP/IP Application Data Unit" - MODBUS Messaging on TCP/IP (2006). MODBUS Messaging on TCP/IP Implementation Guide V1.0b (PDF). Modbus Organization. <a href="https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf" target="_blank">https://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf</a> <a href="#fnref:64" class="footnote-back-ref">↩</a></li>
<li id="fn:65">"Java Modbus Library - About". 2010. Retrieved 2017-02-07. <a href="http://jamod.sourceforge.net" target="_blank">http://jamod.sourceforge.net</a> <a href="#fnref:65" class="footnote-back-ref">↩</a></li>
<li id="fn:66">"What is the difference between Modbus and Modbus Plus?". Schneider Electric. 21 August 2004. Retrieved 2017-02-07. <a href="https://www.se.com/ca/en/faqs/FA198221/" target="_blank">https://www.se.com/ca/en/faqs/FA198221/</a> <a href="#fnref:66" class="footnote-back-ref">↩</a></li>
<li id="fn:67">"Modbus Plus - Modbus Plus Network - Products overview - Schneider Electric United States". Schneider-electric.com. Retrieved 2014-01-03. <a href="https://www.se.com/us/en/product-range/576-modbus-plus/" target="_blank">https://www.se.com/us/en/product-range/576-modbus-plus/</a> <a href="#fnref:67" class="footnote-back-ref">↩</a></li>
<li id="fn:68">"Simply Modbus - About Enron Modbus". Simply Modbus. Retrieved 2017-02-07. <a href="https://www.simplymodbus.ca/Enron.htm" target="_blank">https://www.simplymodbus.ca/Enron.htm</a> <a href="#fnref:68" class="footnote-back-ref">↩</a></li>
<li id="fn:69">"Modbus Organization Replaces Master-Slave with Client-Server (press release)" (PDF). modbus.org. 9 July 2020. Retrieved 11 July 2023. <a href="https://modbus.org/docs/Client-ServerPR-07-2020-final.docx.pdf" target="_blank">https://modbus.org/docs/Client-ServerPR-07-2020-final.docx.pdf</a> <a href="#fnref:69" class="footnote-back-ref">↩</a></li>
<li id="fn:70">Palmer; Shenoi, Sujeet, eds. (23–25 March 2009). Critical Infrastructure Protection III. Third IFIP WG 11. 10 International Conference. Hanover, New Hampshire: Springer. p. 87. ISBN 978-3-642-04797-8. <a href="978-3-642-04797-8" target="_blank">978-3-642-04797-8</a> <a href="#fnref:70" class="footnote-back-ref">↩</a></li>
</ol>

Modbus open-in-new

Modbus