PLC Programming.io
Learn PLCs free

Modbus TCP/IP

Ethernet-based variant of Modbus using TCP/IP. Combines simplicity of Modbus with speed and scalability of Ethernet.

Type: Industrial EthernetSpeed: 10/100/1000 MbpsReleased: 1999Organization: Modbus Organization
1 Gbps capable
Bandwidth
Unlimited (network dependent)
Max Nodes
100m per segment (with switches: unlimited)
Max Distance
No
Real-Time

Modbus TCP frame structure (MBAP header)

Modbus TCP wraps the standard Modbus PDU (function code + data) in a 7-byte MBAP header carried over TCP port 502. CRC is dropped because TCP already provides error detection.

Modbus RTU frame structure Total: 4 bytes overhead + N data bytes (max frame 256 bytes)
SlaveAddress1 byteTarget device address (1–247)FunctionCode1 byteWhat action to performDataN bytesRegister addresses, values, byte …CRC-162 bytesCyclic redundancy check (low byte…
Modbus TCP/IP ADU (Application Data Unit) MBAP header (7 bytes) + PDU (function code + data)
TransactionID2 bytesRequest/response correlationProtocolID2 bytesAlways 0x0000 for ModbusLength2 bytesBytes that followUnit ID1 byteBridges to RTU slave addressFunctionCode1 byteSame codes as RTUDataN bytesSame payload as RTU

The Unit ID byte (originally the slave address in RTU) is preserved for backward compatibility — gateways use it to route requests to serial devices behind a TCP proxy.

Modbus function codes (complete reference)

Every Modbus request begins with a function code. The same codes apply to RTU, ASCII and TCP/IP variants. Codes 1–127 are public; 65–72 and 100–110 are vendor-defined and 128–255 indicate exception responses (function code | 0x80).

CodeHexNameTypeDescription
010x01Read CoilsreadRead 1–2000 contiguous coil (output bit) statuses
020x02Read Discrete InputsreadRead 1–2000 contiguous input (read-only bit) statuses
030x03Read Holding RegistersreadRead 1–125 contiguous 16-bit holding registers
040x04Read Input RegistersreadRead 1–125 contiguous 16-bit input (read-only) registers
050x05Write Single CoilwriteForce a single coil ON (0xFF00) or OFF (0x0000)
060x06Write Single RegisterwriteWrite one 16-bit value to a single holding register
070x07Read Exception StatusdiagRead 8 exception status outputs (serial line only)
080x08DiagnosticsdiagLoopback, counter reset, CRC error count, and other diagnostics (serial only)
110x0BGet Comm Event CounterdiagReturns count of successful messages (serial only)
150x0FWrite Multiple CoilswriteForce 1–1968 contiguous coils ON or OFF
160x10Write Multiple RegisterswriteWrite 1–123 contiguous 16-bit holding registers
170x11Report Slave IDdiagReturns slave description and run/idle status (serial only)
200x14Read File RecordreadRead records from extended memory file
210x15Write File RecordwriteWrite records to extended memory file
220x16Mask Write RegisterwriteAND/OR mask one holding register (read-modify-write atomic)
230x17Read/Write Multiple RegistersreadCombined write then read in a single transaction
240x18Read FIFO QueuereadRead 0–31 register values from a FIFO buffer
430x2BEncapsulated InterfacediagRead device identification (vendor, product code, version)

Modbus exception codes

When a slave can't complete a request it returns an exception response: the original function code with the high bit set (e.g. 0x03 → 0x83), followed by an exception code byte. Use this table to decode what your client logs when something fails.

CodeHexNameMeaning & typical cause
010x01Illegal FunctionThe function code is not recognised or not allowed in the current state
020x02Illegal Data AddressThe data address requested is not allowed for the slave (out of register map)
030x03Illegal Data ValueA value in the request is invalid (e.g. quantity outside permitted range)
040x04Slave Device FailureUnrecoverable error while attempting to perform the requested action
050x05AcknowledgeSlave has accepted the request but needs more time. Master should poll with code 0x0B
060x06Slave Device BusySlave is processing a long-duration program command. Master must retry later
080x08Memory Parity ErrorSlave detected a parity error reading extended memory (functions 20 & 21)
0A0x0AGateway Path UnavailableModbus gateway could not allocate an internal communication path
0B0x0BGateway Target Failed to RespondModbus gateway has no response from the target device (timeout)

Modbus data model: the four register types

Coils

00001–09999
Size: 1 bit
Access: Read/Write
Used for: Digital outputs (relays, motor starters, indicator lamps)

Discrete Inputs

10001–19999
Size: 1 bit
Access: Read-only
Used for: Digital inputs (limit switches, push buttons, sensors)

Input Registers

30001–39999
Size: 16 bits
Access: Read-only
Used for: Analog inputs (temperature, pressure, flow readings)

Holding Registers

40001–49999
Size: 16 bits
Access: Read/Write
Used for: Setpoints, configuration, multi-purpose data exchange

Note: address numbering uses 1-based addresses with a leading register-type digit. On the wire, addresses are 0-based (40001 → wire address 0). Many client libraries hide this offset; some do not.

Protocol Overview

Ethernet-based variant of Modbus using TCP/IP. Combines simplicity of Modbus with speed and scalability of Ethernet.

When to Use Modbus TCP/IP

Choose Modbus TCP/IP for SCADA systems, plant-wide networks, remote monitoring, or when integrating industrial equipment with IT systems.

Technical Specifications

Physical Layer

  • Physical Layer: IEEE 802.3 Ethernet
  • Cable Type: Cat5e/Cat6 Ethernet
  • Topology: Star, Tree, Ring
  • Power Over Cable: No

Data Layer

  • Data Link: TCP/IP
  • Encoding: Binary
  • Error Detection: TCP checksum
  • Frame Size: 1500 bytes (MTU)

Performance

  • Scan Time: 1-10ms typical
  • Deterministic: No
  • Real-Time: No

Certification

  • Certification Required: No
  • License Cost: Free (open standard)
  • Version: Current

Advantages & Disadvantages

Advantages

  • High speed (up to 1 Gbps)
  • Uses standard Ethernet infrastructure
  • Unlimited nodes and distance (with switches)
  • Easy IT integration
  • Simple protocol (Modbus heritage)
  • Open standard and free
  • Remote access capability

Disadvantages

  • Not deterministic (not real-time)
  • No built-in security (requires VPN/firewall)
  • Higher latency than dedicated fieldbuses
  • Requires managed switches for large networks
  • No device profiles or configuration tools

Common Use Cases & Applications

SCADA systems
Plant-wide data collection
Building management systems
Remote monitoring
Enterprise system integration
Large distributed systems

Industry Adoption

Adoption LevelVery High
Market Share25-35% of industrial Ethernet
Geographic PresenceWorldwide
Primary Industries
Oil & GasWater/WastewaterBuilding AutomationManufacturingEnergy

Supported Message Types

Read Coils
Read Discrete Inputs
Read Holding Registers
Write Single Coil
Write Single Register
Write Multiple Registers

Supported PLC Brands

SiemensAllen-BradleyMitsubishiSchneider ElectricBeckhoffABBRockwell
Phoenix Contact
Wago

Protocol Comparisons

Modbus TCP/IP vs EtherNet/IP

Modbus TCP is simpler and open; EtherNet/IP offers better diagnostics and CIP ecosystem

View Detailed Comparison →

Quick Links

Alternative Protocols

Related Standards

  • IEC 61131-3

    International standard for programmable logic controller programming languages. Defines 5 programmin...

  • IEC 61131 Series

    Complete series of international standards for programmable logic controllers covering hardware, sof...

Related Protocols

Free PLC simulator

Stop reading, start doing

Write ladder logic in your browser, hit Run, and watch real machine scenarios react. 12 guided lessons across 8 PLC dialects — free account, no credit card.

Practice PLCs free →