Modbus is a serial communications protocol originally created by Modicon for use in industrial environments. It uses a master-slave architecture with one master device initiating transactions that slave devices respond to by supplying data. Modbus supports communication between multiple devices connected to the same network and uses function codes in messages to specify read and write actions. It also has TCP/IP and Ethernet-based variants that encapsulate Modbus messages for transmission over those networks.

1. Modbus Intoduction
Prem Sanil

2. Introduction
• Modbus is a serial communications protocol originally published
by Modicon (now Schneider Electric)
Its Application ?
• Used to establish master-slave/client-server communication between
intelligent devices
• Openly published and royalty-free
• Modbus enables communication between many (approximately 247)
devices connected to the same network

3. Communication between MODBUS devices
• MODBUS devices communicate using a master-slave technique in
which only one device (the master) can initiate transactions (called
queries).
• The other devices (slaves) respond by supplying the requested data
to the master
• A slave is any peripheral device (I/O transducer, valve, network or
other measuring device), which processes information and sends its
output to the master .
• Masters can address individual slaves, or can initiate a broadcast
message to all slaves.

4. Basic Modbus Network
Basic Modbus Transaction

5. Modbus frames:
• The messages exchanged between the master and the slave are called
frames.
• There are two types of Modbus frames: Protocol Data Unit (PDU) and
Application Data Unit (ADU).
• The PDU frames : function Code+ data.
• The ADU frames : Add+FC+data+Error check .
• The FC -> action to perform and the data -> information to be used for
this action.

6. Modbus Data Types
• Modbus transactions always perform a set of actions by reading or
writing to a set of four data ,used by the Modbus application layer.

7. Limitations
• Since Modbus is a master/slave protocol, there is no way for a field
device to "report by exception"
• The master must routinely poll each field device, and look for changes
in the data.
• Modbus is restricted to addressing 247 devices on one data link, which
limits the number of field devices that may be connected to a master
station .
• Modbus protocol provides no security against unauthorized
commands .

8. Modbus Recap

9. Query
• Modbus is restricted to addressing 247 devices on one data link, which
limits the number of field devices that may be connected to a master
station .
• The address field in the Modbus-defined frame is only 8 bits wide. This
would provide for 256 slave addresses
• Address 0 is reserved as a "broadcast" address.
• Eight other "reserved" addresses that are not valid for a slave
• Source :http://stackoverflow.com/questions/22523716/modbus-slave-count-
limitation
• Source : http://www.control.com/thread/1369186948
(Modbus Over Serial Line V1.02", page 8, Section 2.2 Modbus Addressing
rules, "from 248 to 255: Reserved“)

10. Accessing The Data
• 16-bit Unsigned Registers And Single-bit Coils
• Input Registers And Holding Registers
• Input Coils And Status Coils
• 64 kb of space is allocated for registers and coils

11. Byte-Ordering

12. Modbus Data structure
Max of 64 kb of space is allocated for registers
and coils
Bits – 1 Bit
Short Integer – 8 bits
Unsigned Integer – (0 to 65536)
Signed Integer – (-32768 to +32767)
32 bit Integer
64 bit Integer
MSB16 bit LSB16 bit
MSB16 bit 16 bit 16 bit LSB16 bit

13. Modbus ASCII vs Modbus RTU
• In Modbus RTU, bytes are sent consecutively with a 3-1/2 character
space between messages for a delimiter. This allows the software to
know when a new message is starting.
•Any delay between bytes will cause Modbus RTU to interpret it as the start of a
new message.
•Modbus ASCII marks the start of each message with a colon character " : "
(hex 3A).
•The end of each message is terminated with the carriage return and line feed
characters (hex 0D and 0A)

15. ModBus RTU Frame Format

16. Modbus ASCII vs Modbus RTU

17. MODBUS PROTOCOL ON OSI MODEL
Application
Presentation
Session
Transport
Network
Data Link
Physical
Serial Line Master / Salve HDLC Ethernet Data
Link
RS485 Ethernet
Physical Layer
RS232 RS485
Modbus Messaging on
TCP/IP
IP
TCP
Modbus Application Layer
OSI Model Modbus Serial Modbus Plus Modbus TCP

18. Modbus RS232-RS485
3.3 V
0 V
Digital
Electrical Signals

19. Modbus RS232
• RS232 is an Electrical Standard for Physical Drivers that put Electrical
signals on the wire
• Point to Point Connection
• Full Duplex
• Maximum Cable Length 50 FT.
• Maximum Data Rate 20kb/s
PHY
Digital
Electrical Signals
Rx
Tx
GND
Tx
Rx
GND

20. Modbus RS485 PHY
Digital
Electrical Signals
•Multi- Point Connection (up to 32 devices )
•Half Duplex
•Maximum Cable Length 4,000 FT.
•Maximum Data Rate 100kbps
Tx
Rx
Rx
Master Slave A
Slave B
Rx
Tx

21. Master / Slaves State Diagrams
Idle
This is the initial state after power-up
A request can only be sent in "Idle" state
After sending
a request, the Master leaves the "Idle" state, and cannot
send a second request at the same time
Waiting
for reply
When a reply is received, the Master checks the
reply before starting the data processing.
In case of an error detected on the frame, a retry
is performed
Processing
reply

22. When a unicast request is sent to a slave, the master goes into "Waiting
for reply" state, and a “Response Time-out” is started.
It prevents the Master from staying indefinitely in "Waiting for reply"
state. Value of the Response time-out is application dependant.
If no reply is received, the Response time-out expires, and an error is
generated. Then the Master goes into "Idle" state, enabling
a retry of the request. The maximum number of retries depends on the
master set-up.

23. Master / Slaves State Diagrams
Idle
When a broadcast request is sent on the serial
bus, no response is returned from the slaves.
Nevertheless a delay is respected by the Master
in order to allow any slave to process the current
request before sending a new one. This delay is
called "Turnaround delay".
Therefore the master goes into "Waiting
Turnaround delay" state before going back in
"idle" state and before being able to send another
request.
Waiting turnaround delay

24. Ethernet
Physical Layer
MODBUS PROTOCOL ON OSI MODEL
Application
Presentation
Session
Transport
Network
Data Link
Physical
Serial Line Master / Salve Ethernet Data
Link
RS232 RS485
Modbus Messaging on
TCP/IP
IP
TCP
Modbus Application Layer
OSI Model Modbus Serial Modbus TCP
HDLC
RS485
Modbus Plus

25. • Modbus TCP/IP is simply the Modbus RTU protocol with a TCP interface that
runs on Ethernet.
• TCP/IP refers to the Transmission Control Protocol and Internet Protocol
Modbus TCP/IP
Function of TCP is to
ensure that all packets of
data are received
correctly
IP makes sure that
messages are correctly
addressed and routed
The
rules for
organizing and
interpreting the
data
The Modbus TCP/IP message is simply a Modbus communication encapsulated in
an Ethernet TCP/IP wrapper.
In general, Modbus TCP/IP uses TCP/IP and Ethernet to carry the data
of the Modbus message structure between compatible devices.

26. Modbus TCP/IP Client/Server Model
The MODBUS messaging service provides a Client/Server communication between
devices connected on an Ethernet TCP/IP network.
This client / server model is based on four type of messages:
· MODBUS Request,
· MODBUS Confirmation,
· MODBUS Indication,
· MODBUS Response

27. MODBUS Client
MODBUS
Server
A MODBUS Request is the message sent on the network by the Client to
initiate a transaction,
A MODBUS Indication is the Request message received on the Server side
A MODBUS Response is the Response message sent by the Server
A MODBUS Confirmation is the Response Message received on the Client side
Modbus TCP/IP Client/Server Model
Request Indication
Confirmation Response

28. Modbus TCP/IP Data Frame
Application Data Unit (ADU)
Address
Function
Code
Data Checksum
Modbus Serial
Frame
Function
Code
Data
Modbus Application Protocol (MBAP) Header Protocol Data
Unit (PDU)
Transaction
Identifier
Protocol
Identifier
Length
Field
Unit ID
The Modbus commands and user data are encapsulated into the data container
of a TCP/IP telegram without being modified in any way.

29. Modbus TCP/IP Data Frame
Transaction
Identifier
Protocol
Identifier
Length
Field
Unit ID
Function
Code
Data
Function
Code
DataAddress
Checksum
The Modbus error checking field (checksum) is not used, as the standard Ethernet
TCP/IP link layer checksum methods are used.
The Modbus Address field is replaced by the unit identifier in Modbus TCP/IP,
Modbus Serial
Frame
Modbus
TCP/IP
Frame

30. Modbus TCP/IP Data Frame
Transaction
Identifier
Protocol
Identifier
Length
Field
Unit ID
Modbus
TCP/IP
Frame
Transaction Identifier - It is used for transaction pairing,
MODBUS server copies the identification of a MODBUS Request
This is important because, in MODBUS TCP, the server can handle many requests
at the same time. This is not possible in MODBUS Serial.
MBAP
Function
Code
Data
MODBUS Client
(Initialized by the
Client)
MODBUS Server
Request
Transaction
Identifier
Transaction
Identifier

31. Modbus TCP/IP Data Frame
Transaction
Identifier
Protocol
Identifier
Length
Field
Unit ID
Modbus
TCP/IP
Frame
MBAP
Function
Code
Data
Protocol Identifier – This field is always 0 for Modbus services and other values
are reserved for future extensions

32. Modbus TCP/IP Data Frame
Transaction
Identifier
Protocol
Identifier
Length
Field
Unit ID
Modbus
TCP/IP
Frame
MBAP
Function
Code
Data
Length - The length field is the size of the following fields, including the Unit
Identifier ,Function Code , data fields.

33. Modbus TCP/IP Data Frame
Transaction
Identifier
Protocol
Identifier
Length
Field
Unit ID
Modbus
TCP/IP
Frame
MBAP
Function
Code
Data
The Unit identifier is typically used to address the MODBUS slave

34. The TCP/IP Stack
In General TCP/IP allows blocks of binary data to be exchanged between
computers
The primary function of TCP is to ensure that all packets of data are received
correctly,
IP makes sure that messages are correctly
addressed and routed
What does each Layer Specify ?

35. The flow of data from a sender to a receiver using the TCP/IP stack
Each layer on the sending stack communicates with the corresponding layer
of the receiving stack through information stored in headers
As you move the data down the stack of the sender, each stack layer adds its
own header to message
The higher layers are encapsulated by the lower layers
Conversely, this header information is removed by the corresponding layer at
the Receiver

36. Application User
Data (ADU)
CONSTRUCTION OF A TCP/IP-ETHERNET DATA PACKET
Application
TCP
Transport
IP
Network
Ethernet
Data Link
Physical
Application User
Data (ADU)
Application User
Data (ADU)
Application User
Data (ADU)