Modbus has three protocols: Modbus RTU, Modbus ASCII, and Modbus TCP. Modbus is widely used in industrial communication. Modbus RTU and Modbus ASCII excel at serial communication, such as RS485 or RS232, while Modbus TCP is better suited for Ethernet-based communication. Due to the different underlying architectures, Modbus Application Data Units (ADUs) differ. You may not be familiar with what an ADU is; Changhui Instruments will explain in detail below.
To facilitate communication, Modbus defines a very simple data structure called a "Protocol Data Unit" (PDU). A PDU consists of a function code and data, as shown in the diagram below:
The function code is 1 byte long and represents the function to be performed. Common examples include: 01 read coil; 02 read discrete input value; 03 read holding register value; 05 write single coil, etc. The data portion is 0-252 bytes long and represents the address to be read or the value to be written. Different function codes correspond to different data. For example, the 01 function code has 4 bytes of data, where the first two bytes represent the address of the coil to be read, and the last two bytes represent the number of coils to be read. Similarly, the 05 function code also has 4 bytes of data, where the first two bytes represent the address of the coil to be written, and the last two bytes represent the value to be written.
There are three types of protocol data units: Request PDU, Response PDU, and Exception Response PDU. For more information about protocol data units, please download the communication specifications from the Modbus website and read them carefully.
The Protocol Data Unit (PDU) is a generic data structure in Modbus, independent of the underlying physical structure. Modbus RTU, Modbus ASCII, and Modbus TCP all use the same PDU. However, Modbus always relies on the physical network for communication. Therefore, the PDU needs to be mapped to the physical network, which forms the Application Data Unit (ADU). Due to the different underlying networks, the ADUs of Modbus TCP, Modbus RTU, and Modbus ASCII are different. The ADU structures of Modbus RTU and Modbus ASCII are shown in the following figure:
The ModbusTCP ADU structure is as follows:
As you can see, Modbus TCP's application data unit is based on the protocol data unit, with the addition of a structure called the "MBAP header." MBAP is an abbreviation for "ModBus APlication," which means "application data unit."
The MBAP header structure consists of 7 bytes, as shown in the table below:
in:
◆Transmission Identifier: Used to identify the application data unit, i.e., the pairing between request and response; the client initializes this part, and the server copies it to its own ADU;
◆Protocol Identifier: The protocol identifier between systems, 0 = Modbus;
◆Length: The length of the data to be sent next, i.e., the total length of the unit identifier + PDU, in bytes;
◆ Unit Identifier: Used for station addressing between systems, such as the address of a remote station in an Ethernet + serial link network;
This is the Modbus TCP ADU structure: MBAP header + PDU. Isn't it simple? Modbus TCP data transmission uses a mode known as "client/server," which is why client/server function descriptions appear in the table above. In fact, many network communications use this method, such as the well-known Siemens S7 communication protocol. In serial links, this method is also called master-slave communication.
At this point, you might have a question. Since Modbus network communication typically requires specifying IP addresses and port numbers, why isn't this information present in the ModbusTCP ADU?
Haha, actually, this is because ModbusTCP is an application layer protocol, while the IP address and port number you mentioned belong to the transport/network layer. Still don't understand? Okay, take a look at this diagram:
As you can see, logically ModbusTCP operates on top of the TCP layer. When sending data, the ModbusTCP application data unit first passes down to the transport layer, adding TCP protocol messages; then it passes to the network layer, adding IP protocol messages; then it passes down to the data link layer and physical layer. The receiving process is the reverse, removing messages from each layer of the physical layer until finally reaching the application layer. Therefore, when using ModbusTCP for data transmission, it must be used in conjunction with the TCP/IP protocol. Typically, if you are using computer programming, you will need to use SOCKET technology; if you are using PLC programming, the manufacturer has usually encapsulated the underlying communication into library instructions, which you can directly call. For example, Siemens S7-200SMART/1200/1500 PLCs all have readily available Modbus-TCP instruction libraries. Just between you and me, Changhui Instruments will be writing articles about Modbus-TCP communication based on PLCs and PCs later.
One more thing to note is that ModbusTCP uses port 502, so be sure to reserve it for ModbusTCP and don't let anyone else use it.
