Modbus TCP: A Comprehensive Guide to the Protocol and Its Applications

Umar Waseem

31 Jul, 2023

Network Switch and UTP Ethernet Cables

This article provides a detailed overview of the Modbus TCP protocol fundamentals, communication, data representation, security, daily life applications, and integration.

automation

- cybersecurity

- Human-Computer Interaction

- IIoT

- transportation

Introduction

Modbus TCP is a widely used industrial communication protocol that enables devices to exchange data over a network. It is an extension of the Modbus protocol, originally designed for serial communication. Modbus TCP uses the Transmission Control Protocol (TCP) and Internet Protocol (IP) to facilitate communication between devices, making it ideal for modern industrial automation and control systems.

The key difference between Modbus TCP and other Modbus protocols lies in the transport layer. While Modbus RTU and ASCII rely on serial communication, Modbus TCP uses TCP/IP, allowing for more reliable and efficient data exchange over Ethernet networks. This adaptation has made it a popular choice for industrial applications, as it offers improved performance, scalability, and ease of integration with existing network infrastructure.

Modbus TCP Protocol Fundamentals

Modbus TCP is a versatile protocol that can be used to transmit a variety of data types, including analog data. The messages consist of two main parts: the Modbus Application Protocol (MBAP) header and the Protocol Data Unit (PDU). [1] The MBAP header is specific to Modbus TCP and contains information about the message, such as the transaction identifier, protocol identifier, length, and unit identifier. Conversely, the PDU is common to all Modbus protocols and contains the function code and data.

Modbus frames including MBAP header Modbus frames, including MBAP header

The function code is a crucial component of Modbus TCP messages, as it determines the type of action to be performed by the receiving device. The Length field indicates the length of the ADU, in byte counts. Numerous function codes are available, and each corresponds to a specific operation, such as reading or writing data, performing diagnostics, or handling errors. Some common function codes include:

Read Coils (0x01): Reads the status of discrete outputs (coils) from the server device.
Read Discrete Inputs (0x02): Reads the status of discrete inputs from the server device.
Read Holding Registers (0x03): Reads the contents of holding registers from the server device.
Read Input Registers (0x04): Reads the contents of input registers from the server device.
Write Single Coil (0x05): Writes a single coil status to the server device.
Write Single Register (0x06): Writes a single holding register value to the server device.

In addition to the standard function codes, Modbus TCP also supports custom function codes for specific applications or devices. These custom function codes enhance flexibility and adaptability in Modbus TCP systems.

When a Modbus TCP client sends a message to a server, the TCP server processes the request. It returns a response containing the requested data or an acknowledgment of the performed action. If an error occurs during the processing of the request, the server returns an exception response containing an exception code that indicates the error specification. This error-checking mechanism ensures prompt issue resolution and the integrity of the system.

Modbus TCP Communication

In Modbus TCP communication, devices are categorized as clients or servers. Clients initiate communication by sending requests to servers, processing the requests, and returning responses. This client-server architecture allows efficient and organized data exchange between devices in a Modbus TCP network. [2]

The master-slave communication model is a type of network communication in which one device (the master) controls one or more other devices. In a Modbus TCP network, the master is responsible for initiating all communication, and the slaves are responsible for responding to the master's requests. The slave ID allows for a large number of slave devices to be connected to the network.

The master-slave communication model is well-suited for industrial automation applications because it is a simple and efficient way to control many devices. The master device can easily poll all the slave devices in the network, and the slave devices can easily respond to the master's requests.

Modbus TCP relies on TCP/IP for communication, which provides several advantages over serial-based Modbus protocols. TCP/IP is a widely used and well-established networking protocol that offers reliable data transmission, congestion control, error detection, and correction. These features make Modbus TCP suitable for large-scale industrial automation systems where reliable communication is critical.

TCP/IP Protocol Stack

The TCP/IP protocol stack consists of four layers: the application layer, transport layer, internet layer, and link layer. Each layer has a specific role in facilitating communication between devices on a network.

TCP/IP Model & Modbus (Application Layer)

Application Layer: This layer provides the interface between the user application and the underlying network protocols. In the case of Modbus TCP, the application layer handles the Modbus Application Protocol (MBAP) header and the Protocol Data Unit (PDU).
Transport Layer: The transport layer ensures reliable and ordered data delivery between devices. Modbus TCP uses the Transmission Control Protocol (TCP) at this layer, which provides connection-oriented communication, error detection, and flow control.
Internet Layer: This layer is responsible for routing data packets between devices on a network. The Internet Protocol (IP) is used at this layer, allowing Modbus TCP messages to be transmitted over Ethernet networks and even across the Internet.
Link Layer: The link layer is responsible for the physical transmission of data between devices on a local network. In Modbus TCP systems, this layer typically involves Ethernet communication, which offers high-speed data transfer and robust error detection capabilities.

By utilizing the TCP/IP protocol stack, Modbus TCP benefits from the reliability, scalability, and widespread adoption of TCP/IP. This makes it an attractive choice for industrial automation and control systems, where efficient and dependable communication is essential.

Recommended reading: Understanding Modbus TCP-IP: An In-depth Exploration

Modbus TCP Data Representation

Modbus uses the CRC-16-ANSI, also known as CRC-16-IBM. In Modbus TCP, data is represented using different data types, such as coils, discrete inputs, holding registers, and input registers. Coils and discrete inputs are single-bit values representing binary states, such as on/off or true/false. On the other hand, holding and input registers are 16-bit values that can store numerical data, such as integers or floating-point numbers.

Data representation in Modbus TCP messages involves encoding the data types into a specific format that can be easily transmitted and decoded by the devices in the network. For example, coils and discrete inputs are packed into a number of bytes, each containing the status of up to 8 coils or discrete inputs. Holding registers and input registers are transmitted as 16-bit values, with the most significant byte (MSB) sent first, followed by the least significant byte (LSB).

Data addressing in Modbus TCP is an essential aspect of the protocol, as it allows devices to identify and access specific data elements within the system. Modbus TCP uses a zero-based addressing scheme, meaning that the first coil, discrete input, holding register, or input register is addressed as 0. Each data type has its own address space, ensuring no overlap or ambiguity in addressing.

Modbus TCP Registers

Holding registers and input registers play a crucial role in Modbus messaging, as they store the data exchanged between devices. Application Data Unit (ADU) is the payload of a Modbus TCP message and contains the data being exchanged between the client and server. Holding registers store data that can be read and written by both clients and servers, while input registers store data that can only be read by clients.

The addressing scheme for Modbus registers is based on the data type and the register number. Holding registers are addressed using a range of 40001 to 49999, while input registers use a range of 30001 to 39999. It is important to note that these address ranges are used for human-readable representation and are not used in the actual Modbus TCP messages. In the messages, the register addresses are zero-based, with the first holding register addressed as 0 and the first input register addressed as 0.

Register mapping is common in Modbus TCP devices, allowing for efficient organization and data access. Register mapping involves assigning specific registers to store data related to specific functions or parameters within the device. This mapping can be customized by the device manufacturer or system integrator to suit the application's requirements, ensuring that data is easily accessible and logically organized.

Modbus TCP Functions

Modbus TCP functions are the operations that can be performed by the protocol, such as reading or writing data and performing diagnostics. The Modbus TCP messages identify these functions by function codes to specify the desired action. Some common functions include:

Read Coils: This function allows clients to read the status of discrete outputs (coils) from the server device. The client specifies the starting address and the number of coils to read, and the server returns the coil status in the response message.
Read Discrete Inputs: This function enables clients to read the status of discrete inputs from the server device. Similar to reading coils, the client specifies the starting address and the number of discrete inputs to read, and the server returns the input status in the response message.
Read Holding Registers: Clients can use this function to read the contents of holding registers from the server device. The client specifies the starting address and the number of holding registers to read, and the server returns the register values in the response message.
Read Input Registers: This function allows clients to read the contents of input registers from the server device. The client specifies the starting address and the number of input registers to read, and the server returns the register values in the response message.
Write Single Coil: Clients can use this function to write a single coil status into the server device. The client specifies the coil address and the desired status (on or off), and the server acknowledges the write operation in the response message.
Write Single Register: This function enables clients to write a single holding register value to the server device. The client specifies the register address and the desired value, and the server acknowledges the write operation in the response message.

In addition to these standard functions, Modbus TCP supports diagnostic functions that allow clients to request information about the server device's status and performance. These functions can monitor and troubleshoot the Modbus devices and TCP network, ensuring optimal operation and reliability.

Modbus TCP Exception Codes

Exception codes are used in Modbus TCP to handle errors that may occur during communication between devices. When a server encounters an error while processing a client's request, it returns an exception response containing an exception code that indicates the nature of the error. Some common Modbus communication exception codes include:

Illegal Function (0x01): This exception code indicates that the server received a request with an unsupported function code. The client should verify that the function code is valid and supported by the server device.
Illegal Data Address (0x02): This exception code signifies that the server received a request with an invalid data address. The client should verify that the specified address is within the valid range for the server device.
Illegal Data Value (0x03): This exception code indicates that the server received a request with an invalid data value. The client should verify that the specified value is within the valid range for the server device.
Server Device Failure (0x04): This exception code signifies that the server encountered an error while processing the request, such as a hardware failure or a communication error. The client should retry the request or contact the server device's manufacturer for assistance.

By using exception codes, Modbus TCP provides a robust error-handling mechanism that ensures the client and server are aware of any issues that may arise during communication. This allows for prompt resolution of errors and maintains the integrity and reliability of the Modbus TCP network.

Modbus TCP Security

Security is an important consideration in Modbus TCP communication, as the protocol was not originally designed with robust security features. As a result, Modbus TCP networks can be vulnerable to various security threats, such as unauthorized access, data tampering, and denial-of-service attacks. To address these concerns, several security measures can be implemented to protect Modbus TCP communication. One approach to enhancing Modbus TCP security is the use of encryption. Encrypting the data exchanged between devices makes it more difficult for attackers to intercept and manipulate the information. Routers can be used to secure Modbus TCP traffic.

Common encryption methods include Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which can be used to establish secure communication channels between Modbus data clients and servers. Another security measure is the implementation of authentication mechanisms.

Authentication ensures that only authorized devices can access and interact with the Modbus TCP network. This can be achieved through username/password combinations, digital certificates, or other authentication methods, such as challenge-response protocols. In addition to encryption and authentication, following best practices for securing Modbus TCP communication is essential. Some recommendations include:

Regularly updating firmware and software to address known vulnerabilities.
Implementing network segmentation isolates critical devices and limits an attack's potential impact.
Using firewalls and intrusion detection systems to monitor and control network traffic.
Establishing strong access control policies to restrict unauthorized access to devices and data.

Modbus TCP is a more secure protocol than Modbus UDP. By implementing these security measures and adhering to best practices, it is possible to significantly reduce the risk of security breaches and maintain the integrity and reliability of Modbus TCP communication in industrial automation and control systems.

Modbus TCP Integration and Interoperability

One of the key advantages of Modbus TCP is its ease of integration and interoperability with various devices and systems. The protocol's widespread adoption and its use of the TCP/IP protocol stack make it compatible with a wide range of industrial automation equipment, such as programmable logic controllers (PLCs), remote terminal units (RTUs), and human-machine interfaces (HMIs). [3]

Modbus TCP Protocol used in PLC Computers

Modbus TCP devices typically support a range of standard communication interfaces, such as Ethernet, Wi-Fi, and fiber-optic connections, to facilitate integration and interoperability. This flexibility allows Modbus TCP networks to be easily expanded and adapted to meet the requirements of different industrial applications.

In addition to hardware compatibility, Modbus TCP also offers software interoperability through application programming interfaces (APIs) and communication libraries. These software tools enable developers to easily implement Modbus TCP communication in their applications, regardless of the programming language or platform used. Some popular Modbus TCP libraries include libmodbus, pymodbus, and EasyModbusTCP.

Another aspect of Modbus TCP integration and interoperability is the support for protocol gateways and converters. These devices enable seamless communication between Modbus TCP networks and other industrial communication protocols, such as Modbus RTU, Modbus ASCII, or non-Modbus protocols like PROFINET and EtherNet TCP/IP. [4] By using gateways and converters, it is possible to create hybrid systems that leverage the strengths of different communication protocols while maintaining a unified and efficient data exchange.

Overall, the ease of integration and interoperability offered by Modbus TCP makes it a popular choice for industrial automation and control systems. Its compatibility with a wide range of devices, software tools, and communication protocols ensures that the Modbus function can be easily implemented and adapted to suit the needs of various applications and industries.

Modbus TCP Applications

Modbus TCP is widely used in various industrial applications due to its reliability, ease of integration, and compatibility with various devices. The protocol's ability to support efficient and organized data exchange makes it suitable for various use cases in different industries. Some common Modbus TCP applications include:

Industrial Automation

Modbus TCP Protocol used in Industrial Automation

Modbus TCP is extensively used in industrial automation systems, where it facilitates communication between devices such as PLCs, RTUs, and HMIs. These systems often involve complex processes and require real-time monitoring and control, making Modbus TCP's reliable and efficient data exchange capabilities essential.

Building Automation

In building automation systems, Modbus TCP can manage and control various subsystems, such as construction, heating, air conditioning (HVAC), lighting, and security. [5] By integrating these subsystems through Modbus TCP, facility managers can optimize energy consumption, improve occupant comfort, and enhance overall building performance.

Energy Management

Modbus TCP Protocol used in Energy Management Systems

Modbus TCP is commonly employed in energy management systems to monitor and control energy consumption in industrial and commercial facilities. The protocol enables data collection from various energy meters, sensors, and control devices, allowing for analyzing and optimizing energy usage patterns.

Remote Monitoring

Remote monitoring applications rely on Modbus TCP to transmit data from field devices to central monitoring stations. This enables operators to monitor the status of remote equipment, such as pumps, generators, or environmental sensors, and make informed decisions based on real-time data.

Transportation

Modbus TCP Protocol used in Road Traffic Control Cameras

In transportation systems, Modbus TCP manage and control various components, such as traffic signals, electronic signs, and vehicle detection systems. By enabling efficient communication between these components, Modbus TCP helps to improve traffic flow, reduce congestion, and enhance overall transportation system performance.

These examples illustrate the versatility and adaptability of Modbus TCP in addressing the communication needs of various industries and applications. Its robust and reliable data exchange capabilities make it a popular choice for organizations seeking to optimize their operations and improve overall system performance.

Conclusion

Modbus TCP is a widely adopted industrial communication protocol that offers reliable and efficient data exchange between devices in various applications. Its compatibility with the TCP/IP protocol stack, ease of integration, and support for a broad range of devices make it a popular choice for several industries. This includes industrial automation, building automation, energy management, remote monitoring, and transportation. Modbus TCP can provide a secure and reliable communication solution for diverse applications and industries by implementing robust security measures and adhering to best practices.

Frequently Asked Questions (FAQs)

1. What is the difference between Modbus TCP and Modbus RTU?

A. Modbus TCP is a variant of the Modbus protocol that uses the TCP/IP address or protocol stack for communication, while Modbus RTU protocol is a serial line communication protocol that uses RS-485 or RS-232 interfaces. Modbus TCP is better suited for Ethernet-based networks, whereas Modbus RTU is more commonly used in serial ports and communication networks.

2. How does Modbus TCP handle error detection and correction?

A. Modbus TCP relies on the underlying TCP/IP networks for error detection and correction. The TCP protocol includes mechanisms such as checksums, sequence numbers, and acknowledgments to ensure reliable and error-free communication between devices.

3. Can Modbus TCP and Modbus RTU devices communicate with each other?

A. While Modbus TCP and RTU devices use different communication methods, they can communicate with each other through the use of protocol gateways or converters. These devices translate the messages between the two protocols, enabling seamless communication between Modbus TCP and RTU networks.

4. What are the typical data types used in Modbus TCP communication?

A. Modbus TCP supports four primary data types: coils (discrete outputs), discrete inputs, holding registers, and input registers. Coils and discrete inputs represent single-bit values, while holding registers and input registers store 16-bit (hexadecimal) values.

5. How can I secure my Modbus TCP network?

A. To enhance the security of your Modbus TCP network, you can implement encryption methods such as SSL or TLS, use authentication mechanisms like username/password combinations or digital certificates, and follow best practices for network security, such as regular firmware updates, network segmentation, and strong access control policies.

References

1. ipc2u. Detailed description of the Modbus TCP protocol with command examples. [Cited 2023 July 21] Available at: Link

2. Wevolver. Understanding Modbus TCP/IP: An In depth Exploration. [Cited 2023 July 21] Available at: Link

3. rtautomation. An Introduction to Modbus TCP/IP. [Cited 2023 July 21] Available at: Link

4. Wevolver. Modbus RTU: A Comprehensive Guide to Understanding and Implementing the Protocol. [Cited 2023 July 21] Available at: Link

5. Wattsense. The Modbus protocol in building management. [Cited 2023 July 21] Available at: Link

Search for articles and topics on Wevolver

"automation"

"cybersecurity"

"Human-Computer Interaction"

Understanding Low-Cost IoT Attacks

The risk of low-cost IoT attacks demands vigilance and innovation.

24 Mar, 2022

This is the first article in a 4-part series based on a whitepaper published by Intrinsic ID that dives deep into such low-cost IoT attacks. The series will cover the origin of the low-cost attacks, their types, preventions, security assurance, how to ensure IoT platform security, IC lifecycle, and how it impacts IC's safety. The first article will examine low-cost IoT attacks from their conceptual foundation.

Download the free whitepaper

In 2018, Rafael Boix Carpi attacked a general-purpose microcontroller device, broke the AES encryption, and unveiled the messages being sent. He wasn’t the first successful attacker to do so, but he’d made a stunning discovery - he could hijack an IoT device with almost zero resources. The attack had cost less than $60. The table below shows the cost breakdown of Rafael's attack. Figure 1: The cost breakdown of Rafael Boix Carpi’s 2018 infamous IoT attack.

Vulnerable IoT and Low-Cost IoT Attacks

By 2025, there will likely be more than 27 billion IoT connections across industries as broad as agriculture, manufacturing, transportation and logistics, healthcare, energy, smart homes, and smart cities. The global IoT market is expected to reach USD 1.39 Trillion by 2026.⁽¹⁾

These devices enable an unprecedented era of rapid automation and data-driven insight and decision making. Simultaneously the advent of IoT presents new aspects of vulnerability to businesses and organizations. According to a cyber solutions company Kaspersky, an analysis of its telemetry from honeypots revealed that more than 1.5 billion IoT attacks were detected in 2021– up from 639 million during the first half of 2020.⁽²⁾

Types of IoT Attackers

The people performing attacks on IoT devices can be broadly organized into four main categories.

Governmental Attackers

How Physical Unclonable Functions (PUFs) are Creating Trust

This article discusses a technology called physical unclonable functions (PUFs) and shows how this technology can help chip vendors and device manufacturers to generate and securely store cryptographic keys that will keep their devices, data, IP, and systems safe from attackers.

Vincent van der Leest

fromIntrinsic ID

08 Sep, 2020

cybersecurity

- IIoT

- IoT

At the core of any device’s security architecture is a cryptographic root key. From this root key additional keys can be derived for authenticating the device, validating software, and encrypting sensitive data. Every device that contains something of value (e.g. data or IP) or that is connected to a network needs these keys to operate securely. Since these keys are the anchor of trust for a device, they should never fall into the hands of adversaries who could be looking to steal sensitive data, copy valuable IP, or disrupt connected systems. However, generating these cryptographic keys and storing them securely on a device is far from trivial. PUFs are a technology that provides a secure mechanism for generating and storing cryptographic keys.

What is a Physical Unclonable Function?

A very good definition of physical (or physically) unclonable functions can be found in the book “Physically Unclonable Functions: Constructions, Properties and Applications” by Roel Maes:

“Physically unclonable functions (PUFs) are innovative physical security primitives that produce unclonable and inherent instance-specific measurements of physical objects; in many ways they are the inanimate equivalent of biometrics for human beings. Since they are able to securely generate and store secrets, they allow us to bootstrap the physical implementation of an information security system.”

As stated here, a PUF can be any physical object that produces these instance-specific measurements. However, in this article we will focus on the best-known subset of PUFs, which are silicon PUFs. As the name suggests this specific type of PUF gets its instance-specific measurements from silicon, which means these PUFs are part of an integrated circuit (IC).

Due to deep submicron manufacturing process variations, every transistor in an IC has slightly different physical properties. These variations lead to small but measurable differences in terms of ele

Modbus TCP: A Comprehensive Guide to the Protocol and Its Applications

This article provides a detailed overview of the Modbus TCP protocol fundamentals, communication, data representation, security, daily life applications, and integration.

Introduction

Modbus TCP Protocol Fundamentals

Modbus TCP Communication

TCP/IP Protocol Stack

Modbus TCP Data Representation

Modbus TCP Registers

Modbus TCP Functions

Modbus TCP Exception Codes

Modbus TCP Security

Modbus TCP Integration and Interoperability

Modbus TCP Applications

Industrial Automation

Building Automation

Energy Management

Remote Monitoring

Transportation

Conclusion

Frequently Asked Questions (FAQs)

References

Search for articles and topics on Wevolver

Metal Core PCB (MCPCB): Revolutionizing Thermal Management in Electronics

What is Electronics Manufacturing Services (EMS): A Comprehensive Guide for Engineers...

Hipot Test: Ensuring Electrical Safety and Reliability

Vulnerable IoT and Low-Cost IoT Attacks

Types of IoT Attackers

What is a Physical Unclonable Function?

Solving IoT Security Issues with Embedded Microcontrollers

CAVP - NIST ACVTS - Are you still with me?

Security Assurance of IoT Systems