Detailed Analysis of ModbusTCP Protocol Messages

ModbusTCP Protocol Analysis

ModbusTCP has the same message format as ModbusUDP; the difference between them is essentially the difference between TCP and UDP. Therefore, we will analyze the ModbusTCP protocol below. The differences between ModbusTCP and ModbusRtu (ModbusASCII) are shown in the figure below:

As can be seen from the figure above, ModbusTCP, based on Modbus serial communication, removes the checksum (since TCP itself has a checksum) and device address (ModbusTCP weakens the device address, replacing it with an IP address), and adds the MBAP header (7 bytes). Below is an analysis of the MBAP:

With the above theoretical foundation, we will now analyze the specific message format of the Modbus protocol over Ethernet:

With the theoretical foundation established, we will now analyze each function code in detail:

Read Output Coils

The sending message format is as follows:

Meaning of the sending message: Read the output coil of slave 1 on the server, starting address 0x13=19, corresponding address 00020, number of coils 0x1B=27, that is, read the output coil of slave 1, addresses from 00020-00046, a total of 27 coils’ status values.

It is worth noting that the starting address in the protocol refers to the index, while the subsequent addresses refer to specific addresses. For any storage area, the index starts from 0, but the corresponding specific address is related to the storage area. For example, for output coils, 0 corresponds to 00001; for input coils, 0 corresponds to 10001; for input registers, 0 corresponds to 30001; for holding registers, 0 corresponds to 40001.

The return message format is as follows:

Meaning of the return message: Returns the state values of output coils 00020-00046 of slave 1 on the server, with a return byte count of 4, namely CD 6B B2 05.

CD=1100 1101 corresponds to 00020-00027

6B=0110 1011 corresponds to 00028-00035

B2=1011 0010 corresponds to 00036-00043

05=0000 0101 corresponds to 00044-00046

Read Input Coils

The sending message format is as follows:

Meaning of the sending message: Read the input coil of slave 1 on the server, starting address 0xC4=196, corresponding address 10197, number of coils 0x1D=29, that is, read the input coil of slave 1, addresses from 10197-10225, a total of 29 coils’ status values.

The return message format is as follows:

Meaning of the return message: Returns the state values of input coils 10197-10225 of slave 1 on the server, with a return byte count of 4, namely CD 6B B2 05.

CD=1100 1101 corresponds to 10197-10204

6B=0110 1011 corresponds to 10205-10212

B2=1011 0010 corresponds to 10213-10220

05=0000 0101 corresponds to 10221-10225

Read Holding Registers

The sending message format is as follows:

Meaning of the sending message: Read the holding register of slave 1 on the server, starting address 0x6B=107, corresponding address 40108, number of registers 0x02=2, that is, read the holding register of slave 1, addresses from 40108-40109, a total of 2 registers’ values.

The return message format is as follows:

Meaning of the return message: Returns the values of holding registers 40108-40109 of slave 1 on the server, with a return byte count of 4, namely 02 2B 01 06, where 40108 corresponds to the value 0x022B and 40109 corresponds to the value 0x0106.

Read Input Registers

The sending message format is as follows:

Meaning of the sending message: Read the input register of slave 1 on the server, starting address 0x6B=107, corresponding address 30108, number of registers 0x02=2, that is, read the holding register of slave 1, addresses from 30108-30109, a total of 2 registers’ values.

The return message format is as follows:

Meaning of the return message: Returns the values of input registers 30108-30109 of slave 1 on the server, with a return byte count of 4, namely 02 2B 01 06, where 30108 corresponds to the value 0x022B and 30109 corresponds to the value 0x0106.

Preset Single Coil

The sending message format is as follows:

Meaning of the sending message: Preset the value of a single coil of slave 1 on the server, coil address 0x00AC=172, corresponding address 00173, with the on/off flag 0xFF00 indicating set, and 0x000 indicating reset, that is, set the output coil 00173 of slave 1.

The return message format is as follows:

Meaning of the return message: The original message for presetting a single output coil is returned.

Preset Single Register

The sending message format is as follows:

Meaning of the sending message: Preset the value of a single holding register of slave 1 on the server, register address 0x0087=135, corresponding address 40136, with the value written as 0x039E, that is, preset the holding register 40136 of slave 1 to the value 0x039E.

The return message format is as follows:

Meaning of the return message: The original message for presetting a single holding register is returned.

Preset Multiple Coils

The sending message format is as follows:

Meaning of the sending message: Preset the values of multiple coils of slave 1 on the server, coil address 0x0013=19, corresponding address 00020, number of coils 0x0A=10, with the value written as 0xCD00, that is, preset the coils 00020-00027=0xCD=1100 1101, and 00028-00029=0x00=0000 0000 of slave 1.

The return message format is as follows:

Meaning of the return message: The return message for presetting multiple output coils is the original message with the byte count and specific bytes removed.

Preset Multiple Registers

The sending message format is as follows:

Meaning of the sending message: Preset the values of multiple registers of slave 1 on the server, register address 0x0087=135, starting address 40136, number of registers 0x02=2, ending address 40137, with the values written as 0xCD00 and 0x0A10, that is, preset the registers 40136=0x0105 and 40137=0x0A10 of slave 1.

The return message format is as follows:

Meaning of the return message: The return message for presetting multiple holding registers is the original message with the byte count and specific bytes removed.