‫امحلد هلل اذلي من علينا وعلمنا ما مل نكن نعمل وامحلد هلل رب‬

‫العاملني‬

‫‪MODBUS‬‬
‫‪TCP/IP‬‬
Eng Mohamed Sameh

Network layering
Is the third layer of OSI model, it is responsible for managing connections between different networks and
ensuring that data packets are routed correctly from the source to the destination

1.1 What is the OSI model

is a conceptual framework used to understand and standardize the functions of a telecommunication or
computing system. The model is divided into seven layers

• Physical Layer: This is the lowest layer that deals with the physical connection between devices,
including cables, switches, and the electrical signals transmitted
• Data Link Layer: This layer is responsible for the node-to-node data transfer and error
detection/correction. It ensures that data is transferred reliably over the physical layer.
• Network Layer: As we discussed earlier, this layer handles the routing and forwarding of data packets
across different networks. It includes logical addressing (IP addresses)

• Transport Layer: This layer ensures end-to-end communication, managing error recovery and flow
control. It’s where protocols like TCP (Transmission Control Protocol) and UDP (User Datagram Protocol)
operate
• Session Layer: This layer manages sessions or connections between applications. It establishes,
maintains, and terminates connections
• Presentation Layer: This layer translates data between the application layer and the network. It
handles data encoding, encryption, and compression.
• Application Layer: This is the topmost layer that interacts with software applications. It provides
network services directly to end-users and includes protocols like HTTP, FTP, and SMTP.

Page | 1
Eng Mohamed Sameh

1.2 Communication mechanism

Modbus software module doesn’t connect to RS485, it is sending the data to RS485 from
master and RS485 send the data to RS485 in the slave and RS485 send data to Modbus
software module in slave

Application layer (Modbus software module): -

defines the arrangement of data, doesn’t define how the data is transported

1.3 TCP/IP Layers

the Modbus TCP / IP protocol is based on OSI protocol, in Modbus TCP/IP application layer
become a Modbus software module and transport layer is TCP

Page | 2
Eng Mohamed Sameh

1.4 Field connection

Hardware connection consist of hub(switch) Ethernet cable with male connector (RJ-45)

In Modbus RTU the system consists of master and slaves but in TCP/IP server and clients
And we can have multiple servers and multiple clients

1.5 Communication between plc

• Application Layer: Where the Modbus TCP/IP protocol operates.

• Network Access Layer: Represents physical devices like Ethernet and firmware
• Physical Connection: The devices are physically interconnected through a hub or
switch

Page | 3
Eng Mohamed Sameh

1.6 features
• A Modbus TCP/IP can have multiple servers and clients
• A Modbus client can communicate with multiple servers and Modbus server can
handle requests from multiple Modbus client
• There are devices can act as Modbus client and server at the same time
• Multiple Message Sending: A Modbus client can initiate several Modbus messages to
a remote server without waiting for the response of the previous one. For instance,
the client can send multiple read input register or read coil status requests one after
the other without waiting for responses
• Requests to Multiple Servers: The client can also send requests to different servers
without waiting for responses from any of them. It sends the requests and receives
the responses independently

• Message Tagging: Modbus TCP/IP uses a form of tagging to match queries with their
corresponding responses. This ensures that responses are matched with the correct
requests, facilitating smoother communication.
• Increased Communication Speed: This feature allows for much faster
communication on the network, enabling quicker exchange of Modbus messages
between clients and servers compared to RS-485

Page | 4
Eng Mohamed Sameh

IP addresses
1.7 IP address
In Modbus RTU can configure the slave by unit id by configure in message the unit id address but in
TCP/IP use IP address to determine the locations of the servers and clients

These non-Modbus devices do not have a unit ID, which poses a challenge in identifying the devices.
To solve this issue, the TCP/IP network assigns each device, whether it is a Modbus device or not, a
unique IP address that can be used to identify the device on the network. In the upcoming videos, we
will learn how to configure and format this IP address

Abstract
If the device does not have a unit id we can not connect it to the network in Modbus but if the device has
an IP address we can connect it to the network

●if we have a several devices never have the same IP address but when devices share the same
address must configure port number because through it we will be able to know exactly the device to
which we want to send data.

Page | 5
Eng Mohamed Sameh

1.8 How does Modbus TCP/IP works

The client sends a request to the server to retrieve data, and the server responds by
approving the request.

1.9 Ethernet
which is one of the physical technologies used by TCP/IP to send and receive data through electrical
signals on the network.
This technology involves a process called "network arbitration," a system used by physical layer
technologies to create order on a network, ensuring data transfer occurs in an orderly fashion and
minimizing data collisions as much as possible.
Ethernet performs network arbitration in its unique way, and understanding this process is crucial,
especially from a Modbus TCP/IP perspective.
The diagram shown here reminds you of Ethernet's place within the TCP/IP framework, where Ethernet
is physically utilized by its hardware and firmware to transmit data. While other physical technologies
like Token Ring and ATM can be used with TCP/IP, Ethernet is the most widely used form of physical
technology.

Page | 6
Eng Mohamed Sameh

Comparison between Modbus and TCP/IP in physical layer

In Modbus we use RS485 but in TCP/IP we use Ethernet in Modbus master send the data to
all slaves, but the specific slave can response because it’s unit ID mentioned in message

But in TCP/IP any client can send requests for another servers, but it is possible to happen a
conflict of data we can eliminate it by (CSMA/CD)

1.10 CSMA/CD
Network arbitration is a process used by physical layer technologies to manage and control data transfer on a network.
This system helps to ensure that data is transmitted in an orderly fashion and minimizes data collisions, which can occur
when multiple devices try to send data simultaneously.

In the context of Ethernet, network arbitration is achieved through a method known as Carrier Sense Multiple Access with
Collision Detection (CSMA/CD). Here's how it works:

1. Carrier Sense: Each device on the network listens (or senses) the network to check if it is currently in use before
attempting to send data.

2. Multiple Access: Multiple devices share the same communication medium, so they must take turns accessing
the network.

3. Collision Detection: If two devices attempt to send data at the same time, a collision occurs. Ethernet devices
can detect this collision.

4. Backoff Algorithm: When a collision is detected, the devices stop transmitting and wait for a random period
before attempting to send the data again.

This process ensures that data collisions are minimized, and the network remains efficient and orderly.

Example Scenario:

• Client 1 sends a query to Server 2, and Server 2 responds.

• If no other device is using the network, the communication happens smoothly.

• Sometimes, Client 1 and Client 2 might try to send data simultaneously, causing a collision.

• Both clients detect the collision and stop sending data.

• They wait for a random time and then try sending data again. Since the wait times are different, one client will
send data successfully before the other tries again.

This process ensures that the network continues to function efficiently, even when collisions occur. The actions happen
very quickly, in fractions of a millisecond, so you don't usually notice any delay.

Page | 7
Eng Mohamed Sameh

Data frame
1.11 Data frame in Modbus
Consist of 4 sections
• Device address (unit ID)
• Function code like
1. Read coils
2. Read inputs
3. Read hollding registors
4. Read input registors
• Data byte
• Error check (CRC or LRC)

1.12 Data frame in Modbus

In TCP/IP protocol that consists of 2 sections
• MBAP (Modbus application protocol header)
• PDU (protocol data unit)

layer Number of bytes

Transaction identifier 2
protocol identifier 2
length 2
Unit ID 1
Function code 1
Eight-bit Data byte varies

Page | 8
Eng Mohamed Sameh

1.13 transaction identifier

is used to identify and pair messages between requests and responses. Here is a simplified
explanation:
• Sending Multiple Requests: A Modbus client can send multiple requests to a
Modbus server without waiting for a response to each one before sending the
next. This could cause confusion if responses arrive in a different order than
the requests were sent.

example
Imagine a Modbus client sends three consecutive requests to read data from three
different sets of units:
• First request: Read units 1 to 32
• Second request: Read units 33 to 64
• Third request: Read units 65 to 96.
Due to network conditions, responses might arrive in a different order:
• Response to the third request arrives first
• Response to the second request arrives second
• Response to the first request arrives third

Transaction Identifier: This is where the transaction identifier comes into play. When a
Modbus client sends a request, a unique number (transaction identifier) is added to the header.
When responses arrive, they carry the same transaction identifier. This helps the client match
each response to the correct request, even if they arrive out of order

Page | 9
Eng Mohamed Sameh

1.13 Protocol identifier

This field is always set to 0 for Modbus services. It is reserved for future protocol extensions.
Therefore, in the current context, users do not need to worry about it.

1.14 Length Field

This field indicates the number of bytes remaining in the message, including the Unit ID,
function code, and data. Simply put, it shows the total length of these parts.

1.15 Unit ID
this field is used to identify individual devices in a Modbus network. In normal usage
scenarios, it may not be required in Modbus TCP/IP communications because identity is
determined via IP address. However, in certain special cases, such as serial bridges, it is used
to identify devices connected through the bridge.

Page | 10
Eng Mohamed Sameh

1.16 SECTIONS EXTENTIONS

To understand what happens when Modbus data is transmitted over TCP/IP, let's break
down the components and processes explained in the video:
1. Modbus PDU (Protocol Data Unit): The data starts with the Transaction Identifier,
Protocol Identifier, Length, Unit ID, Function Code, and Data.
2. TCP/IP Layer: When the data frame is passed to the TCP/IP module, two additional
headers are added:
o TCP Header: Includes control information for the TCP connection, such as port
numbers and connection management data.
o IP Header: Contains the IP address of the destination device, ensuring the
data reaches the correct address.
3. Control Information: This information is called "control information" and is not the
actual data, but it helps in directing the data to the correct destination.
4. TCP Header: Responsible for ensuring the data is transferred in a connection-oriented
manner, maintaining the connection, and overseeing data delivery.
5. IP Header: Contains the source and destination IP addresses to ensure the data is
correctly routed across the network.
6. Ethernet Layer: When the data reaches the Ethernet layer, an Ethernet header is
added:
Ethernet Header: Contains the MAC addresses of the sender and receiver and converts the
data into electrical signals that travel through cables to reach the destination.

Page | 11
Eng Mohamed Sameh

1.17 Example for addersing

Components of Modbus ADU:

• Transaction Identifier: Unique identifier for the transaction.

• Protocol Identifier: Always zero for Modbus.

• Length: Number of remaining bytes in the message.

• Unit ID: Identifier for the unit.

• Function Code: Specifies the operation type.

• Data: Contains the actual data.

Example: Reading Input Register

Scenario: Reading an input register at address 30019.

Steps:

• Function Code: 0x04 (Read Input Registers).

• Data Bytes:

o Starting Address: 30019 - 30001 = 18 (0x0012 in hexadecimal).

o Number of Registers: 1 (0x0001 in hexadecimal).

Complete Frame:

• Function Code: 0x04.

• Starting Address: 0x0012.

• Number of Registers: 0x0001.

Components of Modbus ADU:

• Transaction Identifier: 0x0001 (for the first request).

• Protocol Identifier: 0x0000.

• Length: 0x0006 (6 bytes remaining).

• Unit ID: 0x16 (default 22).

• Function Code: 0x04.

• Starting Address: 0x0012.

• Number of Registers: 0x0001.

Adding TCP/IP and Ethernet Headers

When data is sent over TCP/IP, TCP and IP headers are added for proper routing. An Ethernet header is
then added to convert the data into electrical signals for transmission.

Page | 12
Eng Mohamed Sameh

If we have response from transmitter = 35 psi

Then
• Transaction Identifier: 0x0001 (for the first request).

• Protocol Identifier: 0x0000.

• Length: 0x0005 (5 bytes remaining).

• Unit ID: 0x16 (default 22).

• Function Code: 0x04.

• 2 is expected number of bytes

• 35 is the response.

Page | 13
Eng Mohamed Sameh

MODBUS TCP/IP SIMULATION

1.18 MODBUS TCP/IP SIMULATION

Tools:-
1. Modscan32
2. Modsim32

Modscan32(master)

Support Modbus(RTU-ASCII-TCP/IP)

Start address
Unit id

Function code

Numbers of registers
what I want to read

Page | 14
Eng Mohamed Sameh

modsim32(slave)
Steps:
1. From file
2. Click new

NOTE: u must know your IP address

1-Open CMD
2- Write ipconfig
3- Get your address

1.19 How to connect modsim32 with modscan32

1. From modsim32 choose connection select connect and select modbus/tcp

2. From modscan32 choose connection select connect from connect using choose
remote tcp/ip and but your ip

Page | 15
Eng Mohamed Sameh

We can monitor the response of the system

Show traffic

The message from server

From slave

Modbus support 4 functions only

• Read coil states
• Read input states
• Read holding registers
• Read input registers

But not support

• Forced single coil
• Present single register
We can use CAS Modbus software

Page | 16
 Eng Mohamed Sameh

Connect plc 1200 with Modbus poll

• Drag and drop from communication – others- Modbus TCP – client

The frequence for requests

Marker for disconnect connection

Read or write

Address u want to access to it

Data block for the

Data block for reading or device u want to access
whiting into it into it

Profinet interface from HW

config

Transaction parameter

Ip address for the device

Default for
TCP/IP
IF it true the device is client
If false, the device is server
Page | 17
Eng Mohamed Sameh

Modbus poll

• from connection select

connect
• Choose to register later
• From connection select
Modbus TCP/IP
• Write Your IP address
• For TCP/IP write 502 in
server port

Page | 18
Eng Mohamed Sameh

• DON’T FORGET MAKE UR

DATA BLOCK NON-
OPTIMIZED

• IT IS IMPORTANAT FOR NUMBER OF REGISTERS AND FUNCTION CODE

Page | 19
 Eng Mohamed Sameh

PLC-1200 as server and Modbus slave

• Drag and drop from communication – others- Modbus TCP – client

For data u want to acess and

send the (MB_HOLD) working as
pointer can acess on data in
data block if i put start register
40001and have 10 colums in
data block the firest one is acess
in 40001

Data block for server have an information about it like

IP address and ID(transaction parameter)

Page | 20
Eng Mohamed Sameh

Important points

If i make it without data that it

mean any client can acess to Standered for TCP/IP
this server

• From connection select connect

• Choose to register later
• From connection select Modbus TCP/IP
• Write Your IP address
• For TCP/IP write 502 in server port

Page | 21