3/14/23, 6:40 PM Modbus Protocol

 
What is the Modbus protocol and how does it work?

By Nikhil Agnihotri

Modbus is a popular low-speed serial communication protocol widely used in the automation industry. The
protocol was developed by Modicon (now acquired by Schneider Electric) in 1979 for its own programmable
logic controllers. The protocol served as a link between PLCs and intelligent automation devices. Now an open
protocol maintained by Modbus Organization, the Modbus was very popular among automation engineers
since its inception. The protocol is widely used for industrial monitoring and control, particularly with PLCs.

The serial protocol is based on master-slave configuration and is capable of setting up the communication of a
Modbus client with up to 247 Modbus servers. The physical interface is facilitated at the devices by standard
RS-485 or RS-232 ports. The bus is a shielded or non-shielded twisted pair cable terminated in 150 ohms at
both ends. The cable can be easily connected to the devices using a 9-pin D-shell, screw terminals, or RJ-45
connectors.

The Modbus is a point-to-point or multi-drop network using either a daisy chain or taps. The entire
communication in a Modbus network is controlled and managed by the master (i.e. the Modbus client).
Modbus is widely used to connect instrumentation and control devices with a controller or data-gathering
devices. Usually, the data-gathering device or the Modbus client is a supervisory computer within a human

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,the … 1/12

3/14/23, 6:40 PM Modbus Protocol

machine interface (HMI) or Supervisory Control and Data Acquisition (SCADA) system. The remote terminal
units (RTU) including sensor modules, programmable logic controller (PLC) or programmable automation
controller (PAC) are the Modbus servers. Modbus is supported by almost every commercial HMI, SCADA, OPC
server, and data acquisition software enabling a hassle-free integration of Modbus-compatible equipment with
Industrial Automation System (IAS) or Building Management System (BMS).
any 

Why Modbus is so popular

Modbus is used by manufacturers in many different industries and has become quite popular due in part to its
simplicity. It is an open standard; therefore, manufacturers can build the RTU version of Modbus into their
equipment without paying any royalty. The protocol can be implemented even on the prototyping boards like
Arduino. In fact, the communication protocol can be easily implemented on any microcontroller or computer.
The data communication is carried out through request-response and the messages have a fixed frame format.

Initially developed as an application layer protocol to transfer data over the serial layer, there are currently
three versions of Modbus protocol: two for serial lines— the Modbus RTU and the Modbus ASCII; and one for
Ethernet (TCP/IP and UDP) — the Modbus TCP. While relatively simplistic, the protocol still enables message
checking and with an accuracy of more than 99 percent. Modbus RTU has Cyclic Redundant Checksums (CRC)
and Modbus ASCII has Longitudinal Redundancy Checks (LRC) for error checking.

Despite its inception in the 1970s, the implementation of the protocol required minimal RAM and memory
resources. In the 1970s when computer technology, as well as embedded technologies, were not as highly
advanced as today, a lightweight protocol like Modbus was especially attractive. The popularity of Modbus has
never declined.

Range and data rate

The standard data rate of Modbus is 9600 b/s or 19.2 kb/s. Usually, 19.2 kb/s is the default rate. The data rate
can be lowered to 4800 b/s, 2400 b/s, etc. The maximum data rate is 115.2 kb/s. At a standard data rate of
9600 b/s, the Modbus can have a maximum range of 1000 meters. If the data rate is increased, the range is
reduced. The tap length should be always less than 20 meters.

Logic levels
On a Modbus, a binary 0 is represented by a voltage level of +2 to +6V. The binary 1 is represented by a
voltage level of -2 to -6V.

Layers
Initially, Modbus was a single protocol implemented over the serial layer. Application data units were
introduced to enable implementation over serial as well as TCP/IP and UDP networks when the protocol was
implemented for Ethernet. The protocol now divides into two layers — the core layer and the network layer.
The core layer defines Protocol Data Unit (PDU), while the network layer defines Application Data Unit (ADU).
The PDU can be transmitted over the UDP network even without defining any application data unit.

The serial versions of Modbus (i.e. Modbus RTU and Modbus ASCII) only require PDU, while the Ethernet
version (i.e. the Modbus TCP) requires both PDU and ADU.

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,the … 2/12

3/14/23, 6:40 PM Modbus Protocol

Network and communication

Modbus is a request-response protocol implemented in a master-slave configuration. There are two types of
devices — Modbus Client and Modbus Server. Modbus Client is the master and is often a supervisory
computer within a SCADA system or HMI. The Modbus Server are slaves and are often remote terminal units
sensor modules, PLCs, and PACs.
like 

The serial versions of Modbus support communication of a single client with up to 247 Modbus servers. As
both RS-485 and RS-232 ports are common for Modbus implementation, if the RS-232 port is used, the
maximum number of Modbus servers can be up to 247, but if RS-485 ports are used, the maximum number of
Modbus servers is limited to 32 because of the practical limitations of the RS-485 standard. There can be
multiple clients and unlimited servers as the Ethernet version of Modbus has an additional 6-byte header for
internet routing

The entire data communication is controlled by the Modbus client through request-response. In Modbus, data
is transferred into bytes. In the RTU version, each byte is encoded in an 11-bit asynchronous frame consisting
of a start bit, the data byte, even parity, and one stop bit. In the ASCII version, each byte is encoded in a 10-bit
frame consisting of a start bit, 7-bit data, 1 bit of even or odd parity or no bit if no parity, and 1 stop bit if
parity is used otherwise 2 stop bit.

A message communicated between the master/client and the slave/server is called Protocol Data Unit (PDU).
The PDU consists of the slave address, the function code (command), the data, and the checksum (CRC or LRC).

The master sends a request to one of the slaves identified by the slave’s address. The slave address is one byte
long and can have a value between 0 and 255. According to the protocol, the slave address 0 is reserved for
the broadcast messages and the slave addresses identifying slave devices cannot exceed 247. The function
code is again one byte long and it tells the addressed slave device what kind of action has to be taken. The
function codes within the range of 1 to 255 are valid, of which 128 to 255 are reserved for exception responses.
The action is a read or a write operation whereby the data in a request provides additional information
required to perform the action. For example, it may specify where to start reading and how much data must be
read. The CRC is applied for error checking in the RTU version, while LRC is applied for error checking in the
ASCII version.

When the master makes a request to an addressed slave, it sends back a response. The slave address and
function code are echoed in the same response. The data contains the values requested by the master. If an
error occurs while performing the requested action, the function code is modified and the data contains a code
describing the error. Again, CRC or LRC depending upon RTU or ASCII framing respectively is used to ensure
the integrity of the message or PDU.

In RTU framing, each byte represents two 4-bit hexadecimal characters in an 11-bit frame. The PDU consists of
a 1-byte long slave address, 1-byte long function code, 0 to 252 bytes long data, and 2-byte long CRC.

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,the … 3/12

3/14/23, 6:40 PM Modbus Protocol

 

In ASCII framing, each byte represents two ASCII characters in a 10-bit frame. The PDU consists of a 1-
character long Start character, 2-character long slave address, 2-character long function code, 0 to 504
character long data, 2-character long LRC, and 2-character long End character. The start character is always a
colon (:) or ASCII 3A hexadecimal. The end character is always a carriage return with a line feed (ASCII 0D and
0A hexadecimal). Each PDU in RTU as well as the ASCII version is separated by 28 bits or 3.5 characters.

Both RTU and ASCII versions of Modbus are almost similar except few differences. In RTU framing, the bytes
are presented in binary form while in ASCII framing, the bytes are presented as readable 4-bit ASCII characters.
The ASCII framing has a start-of-text and end-of-text characters, while in RTU framing the 28-bit separation
between PDUs/messages is interpreted to detect the start and end of the frame. As RTU framing uses shorter
messages, it is faster than the ASCII version. The ASCII version does have an advantage in that intervals of up
to one second can elapse between characters within the message. If the interval exceeds one second, the
equipment takes it as a transmission error.

The PDU in the TCP version of Modbus consists of a 2-byte long transaction ID, a 2-byte long protocol field, a
2-byte long length field, a 1-byte long slave address, and a 1 to 252-byte long message field.

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,the … 4/12

3/14/23, 6:40 PM Modbus Protocol

The transaction ID identifies the transaction and the protocol is always set to 0 to indicate Modbus. The length
indicates the number of the following bytes. This is followed by a 1-byte-long slave address. The message field
is an RTU version similar to the Modbus frame consisting of function code and the data. The maximum size of

the message field can be 253 bytes (i.e. 1 byte for function code and a maximum of 252 bytes for data like in

the RTU frame).

The least significant bit is sent first in all versions — RTU, ASCII, and TCP, The Modbus-compatible equipment
cannot automatically detect the baud rate so the same baud rate needs to be explicitly set at the client and the
server ends of the bus. The Modbus PDU supports a format that can only send data with no capability to send
parameters across communicating devices.

Data types
There are two types of data in Modbus — Coils and Registers. Coils are single bits that can be either 0 (OFF) or
1 (ON). The coils could be discrete output coils or discrete input contacts. The discrete input contacts are the
status of a physical discrete input as either ON or OFF. The discrete output coils are the status of the physical
discrete output signal as either ON or OFF.

The registers are 16-bit unsigned registers that may contain a value representing a floating point number,
ASCII text, a queue, or a table. A register by itself only stores positive values in the range from 0 to 65535 i.e.
0x0000 to 0xFFFF hexadecimal. A 16-bit data stored in registers could be interpreted as a 16-bit unsigned
integer, 16-bit signed integer, 2-character ASCII string, or a discrete ON/OFF value by the Modbus client. A 32-
bit data stored in registers could be interpreted as a 32-bit unsigned integer, a 32-bit signed integer, a 4-
character ASCII string, or a 32-bit double precision floating point number by the Modbus client.

There are two types of registers — analog input registers and analog output holding registers. Like the discrete
input contacts (coils), input registers store the status of an external input as a value between 0 and 65535
(0x0000 and 0xFFFF). In the past, the input registers were generally used for storing digital representations of
the value of analog inputs that could be voltage or current signals. The output holding registers are used to
store data on the device. Now, as most of the Modbus-compatible equipment is not input/output devices,
input registers are also used to store data.

How the server store data

On a Modbus server such as a sensor module, PLC, or PAC, the data is organized into four tables or data banks.
There are two data banks to store discrete on/off values or coils. These data banks store discrete output coils
and discrete input contacts separately. Then, there are two data banks to store numerical values or registers
which store analog input registers and analog output holding registers separately.

Each data bank can store 9999 values. For example, the data banks for discrete output coils and discrete input
contacts can store 9999 bits each in the range from 0000 to 270E. The data banks for analog input registers
and analog output holding registers can store 9999 words each in the range from 0000 to 270E where each
word is 16-bit long.

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,the … 5/12

3/14/23, 6:40 PM Modbus Protocol

The data banks for discrete output coils and analog output holding registers are of read-write type, while the
data banks for discrete input contacts and analog input registers are read-only type.

The values in the data banks are accessed by location names. The data bank for discrete output coils, discrete

input contacts, analog input registers, and analog output holding registers have locations in the range 1~9999,

10001~19999, 30001~ 39999, and 40001~49999 respectively. The structure and nature of four data banks on a
Modbus server are summarized in the following table.

Conclusion
Modbus is a widely used industrial communication protocol, which is often used with PLCs. The protocol has
three versions — RTU, ASCII, and Modbus. The RTU version being open-standard and fastest is most
commonly used by manufacturers. With shorter messages, RTU-framed Modbus messages can be updated at
an interval of 100 milliseconds. Modbus is supported by almost every commercial HMI, SCADA, OPC server,
and data acquisition software making it easy to integrate Modbus-compatible equipment into any industrial
automation system or building management system.

You may also like:

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,the … 6/12

3/14/23, 6:40 PM Modbus Protocol

 
Basic Electronics How to send What are top What is What is the 1-
01 – Beginners MQTT data from applications of Lightweight Wire protocol?
guide to setting ESP32/ESP8266 CAN protocol? Internet Protocol
up an… to Raspberry Pi (LwIP)?

IMAP Protocol-
IOT Part 47

Filed Under: Tech Articles, What Is

← Previous Article

Questions related to this article?

Ask and discuss on EDAboard.com and Electro-Tech-Online.com forums.

Tell Us What You Think!!

You must be logged in to post a comment.

Search this website GO

HAVE A QUESTION?

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,the … 7/12

3/14/23, 6:40 PM Modbus Protocol

Have a technical question about an article or other engineering questions? Check out
our engineering forums EDABoard.com and Electro-Tech-Online.com where you can
get those questions asked and answered by your peers!
 
EDA BOARD

ELECTRO-TECH-ONLINE

EDABOARD.COM DISCUSSIONS

I need help in HFSS and Maxwell or Q3D (How to find the current and voltage after each segment of a
wire)
Deep Reinforcement Learning for automated analog IC design sizing- Suggest me my path is right or
wrong?
Opamp with unbalanced rails
SRAM
PFC inductor design is totally wrong?

ELECTRO-TECH-ONLINE.COM DISCUSSIONS

Version of the arduino MILLIS function (OnshonSoft Basic).

Sky Fairies
Full Audio Spectrum Sinewave Generator using DDS
Can I use off the shelf 5532 Chinese stereo pre-amp modules in bridged mono mode?
Video card EVGA GT 640 the component marked is exactly SOT-363 ?

FEATURED TUTORIALS

How to build a MicroPython WiFi Sniffer

India’s first drone traffic management system — Skye UTM

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,the … 8/12

3/14/23, 6:40 PM Modbus Protocol

 
Understanding battery management systems

How rechargeable batteries, charging, and discharging cycles work

What are the battery-selection criteria for low-power design?

Battery configurations (series and parallel) and their protections

STAY UP TO DATE

Sign up and receive our weekly newsletter for latest Tech articles, Electronics Projects, Tutorial series and
other insightful tech content.

EE TRAINING CENTER

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,the … 9/12

3/14/23, 6:40 PM Modbus Protocol

 

BROWSE CLASSROOMS

BROWSE DESIGN GUIDES

RECENT ARTICLES

What is the Modbus protocol and how does it work?

How to build a MicroPython-based sensorless, weather station
What drone parts you need to build a quadcopter?
Infineon’s new AIROC combines Wi-Fi 5 and Bluetooth for extended battery life
Infineon is first major semiconductor manufacturer to officially support Rust

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,th… 10/12

3/14/23, 6:40 PM Modbus Protocol

 

SUBMIT A GUEST POST

EE ENGINEERING TRAINING DAYS

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,th… 11/12

3/14/23, 6:40 PM Modbus Protocol

BROWSE TRAINING SESSIONS

 

 

ANALOG IC TIPS

CONNECTOR TIPS

DESIGNFAST

EDABOARD FORUMS

EE WORLD ONLINE

ELECTRO-TECH-ONLINE FORUMS

MICROCONTROLLER TIPS

POWER ELECTRONIC TIPS

SENSOR TIPS

TEST AND MEASUREMENT TIPS

5G TECHNOLOGY WORLD

ABOUT US

CONTACT US

ADVERTISE

Copyright © 2023 WTWH Media LLC. All Rights Reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise
used, except with the prior written permission of WTWH Media
Privacy Policy

https://www.engineersgarage.com/how-modbus-protocol-works/#:~:text=Modbus RTU has Cyclic Redundant Checksums %28CRC%29 and,th… 12/12