Modbus RTU & TCP

There will be a lot coming to this page.

I will be making videos, demos, code in VB, C# and more.

A Little about Modbus

Modbus is a serial communication protocol developed by Modicon published by Modicon® in 1979 for use with its programmable logic controllers (PLCs). In simple terms, it is a method used for transmitting information over serial lines between electronic devices. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus RTU network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves. Modbus is an open protocol, meaning that it's free for manufacturers to build into their equipment without having to pay royalties. It has become a standard communications protocol in industry, and is now the most commonly available means of connecting industrial electronic devices. It is used widely by many manufacturers throughout many industries

If you what to read the spec go to http://www.modbus.org/specs.php

How does it work

Modbus RTU and Modbus TCP works differently from a hardware point. Modbus TCP uses Ethernet where Modbus RTU use a 232 or 485 network. But with all of these hardware types the messaging is about the same. The only exposition is Modbus ASCII. This will not be cover as this version of modbus is not used anymore.

Modbus is a point to point protocol where the master device (most of the time a HMI or PLC) ask for data from the Slave device( This could be a drive or IO or whatever ). With Modbus RTU it can only ask one slave device at a time. This makes Modbus RTU a lot slower then Modbus TCP as Modbus TCP can ask many slave device for data at the same time.

The reason Modbus RTU can't ask for more then one device is because it is a RTU network. RTU networks are a voltage based network where everyone see the messages. It is like a one lane road with a lot of homes on it, the message are sent using only 1 mail man that can only hold one package at a time. The mail man goes back and forth between the homes and the post office. ( slave device and PLC ).

Modbus TCP "if" written right can ask question of many slave device at the same time. It is like you have a lot of homes on a road that has a lot of lanes. Each lane can have 1 mail man doing the same thing the Modbus RTU network does. You can see how this would run faster, but there is more to the story. You might ask why does the mail man only hold one package at a time. This is because Modbus is a point to point protocol. Some Protocol like EtherCat are not a point to point protocol and are more like a train with a lot of cars on it, where each car belongs to a Slave Device. In the TCP world the lanes would be called a connection. A HMI or PLC might only be able to have 4 connection at a time and that is OK. But if you need to talk to a lot more then 4 slave device the network starts to slow down just a bit. This is because the HMI or PLC has to close the connection before it can start talking to a different slave device.

Both Modbus TCP and RTU use the same function code and data address. So if you have a dives that talks Modbus RTU and Modbus TCP the same function code and data address work.

Function Code

01 (01 hex) Read Discrete Output Coils - This would be a read of 1 or more digital output

05 (05 hex) Write single Discrete Output Coil - This would be a Write to a digital output. Let you turn on and off the output.

15 (0F hex) Write multiple Discrete Output Coils -This lets you write to more then one digital output

02 (02 hex) Read Discrete Input Contacts - This would be a read of 1 or more digital input.

04 (04 hex) Read Analog Input Registers - This would be used to read 1 or motor analog inputs.

03 (03 hex) Read Analog Output Holding Registers - This is used to read 1 of motor analog outputs. This is used for more then just analog today. It is used for any setting in the drive / IO and more. The Unidrive SP and Unidrive M only use Holding registers for all types of date like digital inputs and outputs.

06 (06 hex) Write single Analog Output Holding Register - This is a right to a holding register. This could be and analog or a setting or more

16 (10 hex) Write multiple Analog Output Holding Registers - This is a right to more then one holding register. This could be and analog or a setting or more

Data Address

Data address are different for every device out there. So you have to look at the slave device to know more. If you want to know how the Unidrive M data address work see files at the top of the web-page.

Example 1 of how Modbus RTU message work

Read Input Registers (FC=04)

Modbus Function Code 04 | Read Input Registers

Request

This command is requesting the content of analog input register # 30009

from the slave device with address 17.

11 04 0008 0001 B298

11: The Slave Address (11 hex = address17 )

04: The Function Code 4 (read Analog Input Registers)

0008: The Data Address of the first register requested.

( 0008 hex = 8 , + 30001 offset = input register #30009 )

0001: The total number of registers requested. (read 1 register)

B298: The CRC (cyclic redundancy check) for error checking. This will be cover later. but is used to make shore that the message has good data in it.

Response

11 04 02 000A F8F4

11: The Slave Address (11 hex = address17 )

04: The Function Code 4 (read Analog Input Registers)

02: The number of data bytes to follow (1 registers x 2 bytes each = 2 bytes)

000A: The contents of register 30009

F8F4: The CRC (cyclic redundancy check). This will be cover later. but is used to make shore that the message has good data in it.

Example 2 of how Modbus RTU message work

Read Registers (FC=06)

Modbus Function Code 06 | Read Output Registers

Request

This command is writing the contents of analog output holding register # 40002

to the slave device with address 17.

11 06 0001 0003 9A9B

11: The Slave Address (11 hex = address 17 )

06: The Function Code 6 (Preset Single Register)

0001: The Data Address of the register.

( 0001 hex = 1 , + 40001 offset = register #40002 )

0003: The value to write

9A9B: The CRC (cyclic redundancy check) for error checking. This will be cover later. but is used to make shore that the message has good data in it.

Response

The normal response is an echo of the query, returned after the register contents have been written.

11 06 0001 0003 9A9B

11: The Slave Address (11 hex = address17 )

06: The Function Code 6 (Preset Single Register)

0001: The Data Address of the register. (# 40002 - 40001 = 1 )

0003: The value written

9A9B: The CRC (cyclic redundancy check) for error checking. This will be cover later. but is used to make shore that the message has good data in it.

How Modbus TCP message work

The best way to know how Modbus TCP is to know how Modbus RTU work 1st and then find out what is different.

The picture above show the different parts of the Modbus message for both TCP and RTU. You can see almost all of the Modbus RTU message is in the Modbus TCP message. You will also see they change the Slave ID to Unit ID. This happened because they did not need the Slave ID anymore because Modbus TCP uses IP address. So what is the Unit ID? It is now used to select a different drive that is connected to the slave device. Lets say you have a remove IO drive. And on this device you had 4 slices of IO. You could use the Unit ID to read and write to the slice directly. This is what the Unidrive M line does. Each slot on the drive uses a different unit id. Slot 1 id = 1, slot 2 id = 2 and so on.

You can also see they removed the CRC from the end of the Modbus RTU message. What is left over is called the PDU, ( Protocol Data Unit ). The reason they don't need the CRC with Modbus TCP is the TCP that runs on Ethernet network takes care of bad messages for you.

Lets compare a RTU example to a TCP example

Here is how Modbus RTU request would work.

---- get the content of analog output holding registers # 40108 to 40110 from the slave device with address 17. ---

11 03 006B 0003 7687

11: The SlaveID Address (17 = 11 hex)

03: The Function Code (read Analog Output Holding Registers)

006B: The Data Address of the first register requested. (40108-40001 = 107 =6B hex)

0003: The total number of registers requested. (read 3 registers 40108 to 40110)

7687: The CRC (cyclic redundancy check) for error checking.

Here is how the Modbus Header works.

MBAP Header - ( see red box in picture above )

A new 7-byte header called the MBAP header (Modbus Application Header) is added to the start of the message. This header has the following data:

Transaction Identifier: 2 bytes set by the Client to uniquely identify each request. These bytes are echoed by the Server since its responses may not be received in the same order as the requests.

Protocol Identifier: 2 bytes set by the Client, always = 00 00

Length: 2 bytes identifying the number of bytes in the message to follow.

Unit Identifier: 1 byte set by the Client and echoed by the Server for identification of a remote slave connected on a serial line or on other buses.

Here is how the Modbus TCP would do it.

Modbus RTU looks like this

11 03 006B 0003 7687

Modbus TCP looks like this

0001 0000 0006 11 03 006B 0003

0001: Transaction Identifier

0000: Protocol Identifier

0006: Message Length (6 bytes to follow)

11: The Unit Identifier (17 = 11 hex)

03: The Function Code (read Analog Output Holding Registers)

006B: The Data Address of the first register requested. (40108-40001 = 107 =6B hex)

0003: The total number of registers requested. (read 3 registers 40108 to 40110)

Mission Statement

Our mission is simple: Help new programmers learn to program. Too many times we have seen others looking for or re-creating the same things over and over. We feel this needs to stop. If we find someone that has produce a quality video we will share it with you. We will strive to make learning as easy as we can without re-creating if possible.

ABOUT US

Page updated

Google Sites

Report abuse