What is Modbus TCP Protocol?
Modbus is a serial communication protocol developed by Modicon in 1979 for use with PLCs. Modbus TCP/IP uses TCP/IP and Ethernet to move Modbus message structure data between compatible devices. That is, Modbus TCP/IP a physical network (Ethernet), a standard method of representing data with a network standard (TCP/IP). A Modbus TCP/IP message is simply a Modbus communication encapsulated in an Ethernet TCP/IP packet.
Some must-know terms are:

SCADA refers to central systems that control and monitor all sites.
PLC is an automation device used in production departments in factories or in the control of processes such as the control of machines.
RTU (Remote Terminal Unit) is a multi-purpose device used for remote monitoring and control of various devices and systems for automation.
A PDU (Protocol Data Unit) is a specific unit of information transmitted over a network.
HMI (Human Machine Interface) is a user interface or dashboard that connects a person to a machine, system or device.

For example, Modbus enables devices in a system to transmit the results of temperature and humidity measuring devices connected to the same network to a supervisory computer or PLC.

Modbus Communication

Modbus protocol uses a Master/Slave technique to communicate between devices. That is, any application using the Modbus protocol will have a Modbus Master and at least one Modbus Slave. A Modbus Master is usually a host controller computer that will communicate with one or more Modbus Slave devices.

Modbus Communication Protocol Types

There are several versions of the Modbus protocol for Serial port and Ethernet, and the most common are:
According to Serial Communication Type

Modbus RTU

Modbus RTU protocol uses serial communication protocols arranged according to master/slave architecture. It is widely used because of its ease of use and reliability. Simplicity and reliability are provided by the 16-bit CRC (error checking mechanism) used for the secure transmission of messages sent as two-bit data.

Modbus ASCII

It is based on the way data is communicated using 8-bit coding according to the ASCII coding system in the Modbus network structure. The advantage of this encoding is that it allows consecutive data to be transmitted without causing an error. Using LRC error checking, it is checked whether more than 8 bits of data is sent.

Modbus Plus

Developed by Schneider and Modicon, this protocol is connected to a global Fieldbus network. It is used in PLC, drives and many peripheral devices. It is used in industrial applications with the PLUS RS-485 communication protocol, which is connected to the master/slave structure. It has a flexible structure besides high-speed data transmission.
According to ETHERNET Communication Type

Modbus TCP/IP Protocol

It is a simple to use protocol designed for the control and control of automation devices. This protocol, which offers communication according to the classical internet network topology, transfers data with 100 Mbps speed with the internet cards used as standard. Multiple connections can be made with the TCP/IP protocol. A connection is established between server/client devices and data transfer takes place. Any device can be a client or server, or there can be many servers or clients in the system. The transmission rate of data in TCP/IP protocol varies depending on the processor and internet card type used in the devices.

Modbus TCP/IP Protocol Header Structure

In Modbus TCP/IP version, messages consist of 2 main parts. The MBAP and PDU part constitute the integrity of the message.

MBAP (Modbus Application Protocol Header) Header Section
In Modbus TCP/IP framing, the MBAP header consists of 4 parts. The length of the MBAP header is 7 bytes. The MBAP section is for the communication function. It carries some information so that the master and slave units can communicate with each other.

Transaction Identifier
It is the section that allows two devices to communicate with each other by associating the master and slave points with each other. The process descriptor part is 2 bytes long.

Protocol Identifier
Designed for multiple systems. It takes the value 0 for Modbus. This area has been reserved for future use. The protocol descriptor part is 2 Bytes long.

Length
The length section specifies the data length in bytes, which includes the unit descriptor section and the Modbus TCP/IP PDU sections. The length part is 2 Bytes long.

Unit Identifier
This field is used for routing for the system. It is used to identify the remote unit that is not on the network. The volume descriptor part is 1 Byte long.

Modbus TCP/IP PDU Section
Modbus TCP/IP PDU section consists of 2 sections, function code and data. In Modbus TCP/IP framing, the Modbus TCP/IP PDU section basically contains the codes for the function.

Function Code
The function code section consists of the code for the requested function when sending a message from the master unit to the slave unit. In response to the master unit from the slave unit, it consists of the function code corresponding to the request. The length of the function code is 1 byte.

Data Section
The data section contains special data for the requested function when sending a message from the master unit to the slave unit. In response to the master unit from the slave unit, it consists of the response data or error codes to be sent against the request. The data section is of variable length.

How to Store Data in Modbus?
The information is stored in the Slave device in four different charts. Two charts store on/off status values ​​(coils) and the other two store numeric values ​​(register). Coils and registers each have read-only and read-write charts. Each chart has 9999 values. Each coil or contact is 1 bit and is assigned a data address between 0000 and 270E. Each Register is 1 word = 16 bits = 2 bytes, and also has a data address between 0000 and 270E.

Coil/Register Numbers can be considered as system names as they do not actually appear in messages. Data addresses are used in messages. For example; The first Holding Register has number 40001, data address 0000. The difference between these two values ​​is offset. Each chart has a different offset. 1, 10001, 30001, and 40001.
Note: Each manufacturer can keep the addresses of Modbus TCP variables in their own device in different ranges.

What is Slave ID?

Each Slave in a network has its own address number ranging from 1 to 247. When the master requests data, the address information of the slave is the first byte sent. Thus, each Slave knows after the first byte whether to ignore the message.

What is Function Code?
The second byte sent by the master is called the function code. These numbers tell the Slave the table to access and whether to read it (Read) or write to it (Write).

General Function Code Definitions