Machine-to-machine communication has become the backbone of modern automation., from tiny sensors to controllers and SCADA systems that monitor entire plants. Within this ecosystem, Modbus acts as the common language that allows very different devices to communicate seamlessly and cost-effectively.
Born in 1979 for Modicon PLCs, Modbus is still fully valid. in factories, power grids, smart buildings, and industrial IoT applications. Its success is based on its simplicity, openness, and broad compatibility, qualities that facilitate its integration and maintenance even in demanding environments.
What is Modbus and how does it work?
Modbus is an open communication protocol designed to transport data between electronic devices. via serial links or IP networks. Its philosophy is simple: a central device (master or client) makes requests, and field devices (slaves or servers) respond with data or acknowledgments.
The classic architecture is master-slave in serial environments and client-server in TCP/IP.In a traditional Modbus serial network, there can be one master and up to 247 slaves, each with its own address. The master interrogates in an orderly fashion; the slaves only respond when addressed by their address.
All Modbus messages share a logical structure: They incorporate a function code that determines the operation (e.g., reading discrete inputs, reading/writing registers) and an associated data block. This uniform approach simplifies analysis and diagnosis across different manufacturers.
A key advantage is that the message format does not depend on the physical interface.You can migrate from RS-485 to Ethernet without rewriting the protocol logic: the encapsulation changes, not the semantics. This decoupling reduces costs when upgrading hardware.
Modbus Data Model: Object Types and Access
Modbus organizes information into four object classes, with well-defined sizes and permissions. This pattern is identical between variants such as RTU, ASCII, TCP, and RTU over TCP; what changes is the transport envelope, not the data model.
| Object | Access | Size |
|---|---|---|
| Discrete input (digital input) | Read only | 1 bit |
| Coil (digital output) | Reading writing | 1 bit |
| Input register | Read only | 16 bits |
| Holding register | Reading writing | 16 bits |
The byte order for multibyte values in Modbus data is big-endian., that is, the most significant byte (MSB) is transmitted first. This detail is vital when mapping compound types such as 32-bit integers or IEEE floats.
ADU and PDU: How messages are encapsulated
A Modbus frame consists of an ADU (Application Data Unit) that wraps a PDU (Protocol Data Unit)The PDU is common to all variants and contains the function code and data; the ADU adds addressing and error handling depending on the medium.
- ADU: Address/Header + PDU + Error Check
- PDUs: Function code + Data
Depending on the variant (RTU, ASCII or TCP) the form of the ADU changes, including delimitation mechanisms, error checking, and transport-specific header fields.
Frame formats by variant
All Modbus implementations use one of these frame formats, adapted to the physical environment or the IP network over which they travel.
Modbus RTU frame (serial, typically RS-485)
RTU uses compact binary coding and CRC for error control. Frames must be output continuously, without gaps between characters, and are separated by silent intervals (≈ 3,5 character times).
| Countryside | Long Jump | Description |
|---|---|---|
| Home | Time of silence | Minimum inactivity (~3,5 characters) to delimit |
| Address | 8 bits | Slave identifier |
| Function | 8 bits | Requested operation (e.g., reading coils or holding registers) |
| Facts & figures | n × 8 bits | Parameters and/or payload |
| CRC | 16 bits | Cyclic redundancy check |
| Lesson finish date | Time of silence | Minimal inactivity (~3,5 characters) between frames |
CRC-16 (ANSI/IBM) on Modbus RTU: polynomial x^16 + x^15 + x^2 + 1 (0x8005, inverse 0xA001) with initial value 0xFFFF. Example response in hexadecimal: 01 04 02 FF FF B8 80; CRC calculation on 01…FF produces 0x80B8, which is transmitted in little-endian order (low byte first: B8 80).
Modbus ASCII frame (serial with printable characters)
ASCII represents each byte as two human-readable hexadecimal characters., delimits with a colon at the beginning and CR/LF at the end, and uses LRC as a checksum.
LRC2 bytes Longitudinal ASCIIChecksum (two's complement of 8 bit addition)
| Countryside | Long Jump | Description |
|---|---|---|
| Home | 1 bytes | Character ':' (0x3A) |
| Address | 2 ASCII bytes | 8-bit value expressed as two hex |
| Function | 2 ASCII bytes | Function code |
| Facts & figures | n × 2 ASCII bytes | Content in hex pairs |
| Lesson finish date | 2 bytes | CR (0x0D) + LF (0x0A) |
Example of LRC: with bytes 247, 3, 19, 137, 0, and 10, the sum is 416; its two's complement truncated to 8 bits is 96 (0x60). The frame would be: :F7031389000A60 .
Modbus TCP (Ethernet) frame
In TCP/IP, Modbus travels with an MBAP header which facilitates transaction multiplexing and gateway to serial networks. No separate checksum is added, as TCP/IP already incorporates integrity control.
| Field (MBAP + PDU) | Long Jump | Description |
|---|---|---|
| Transaction ID | 2 bytes | Request-response correlation |
| Protocol ID | 2 bytes | Always 0 for Modbus/TCP |
| Length | 2 bytes | Remaining Size (Unit ID + PDU) |
| Unit ID | 1 bytes | Device address behind a gateway (or 255 if not applicable) |
| Function code | 1 bytes | Operation requested |
| Facts & figures | n bytes | Parameters and payload |
The Unit ID allows addressing RTU devices behind a Modbus TCP–RTU gateway. On purely TCP devices, it is often ignored. The service uses port 502 and is standardized (IEC 61158, cited in IEC 61784-2 as CPF 15/1).
Modbus Variants: A Complete Overview
There are multiple flavors of Modbus for different media and requirements.They share a data model and basic functions; they differ in how they encapsulate and transport the PDU.
- Modbus RTU: The most common binary implementation over serial links such as RS-485. It uses CRC-16 and requires contiguous transmissions without gaps.
- Modbus ASCII: serial variant with printable characters and LRC. Less commonly used today, but useful where readability and manual debugging are a priority.
- Modbus TCP/IP (Modbus TCP): Works over IP networks, port 502. Client–server, no additional checksum at the application level.
- Modbus over TCP/RTU-IP: encapsulates RTU over TCP including the CRC in the payload, useful for transporting RTU frames as is.
- Modbus over UDP: There are experimental implementations to reduce TCP overhead by sacrificing connection performance.
- Modbus Plus (MB+, proprietary): Schneider Electric's high-speed network, featuring peer-to-peer communications between multiple masters, HDLC, and 1 Mbit/s over twisted pair; requires specific hardware (ISA/PCI/PCMCIA cards).
- Pemex Modbus: extension with support for historical data and flow measurements, designed for PEMEX; it was not widely adopted.
- Enron Modbus: extension that adds 32-bit integers, floats, and historical/stream data, mapped to standard addresses with type alignment according to API practices.
The first four variants (RTU, ASCII, TCP, and RTU over TCP) share the same call and data model., but they are not interoperable with each other at the frame level: the encapsulation changes and, therefore, the wiring/physical layer or network.
Practical advantages of Modbus in industry
The popularity of Modbus is no coincidence: It is open, free, easy to implement, and highly interoperable, which reduces barriers between manufacturers and makes integration cheaper.
- Ease of implementation: few requirements (a serial or Ethernet port) and a simple stack.
- High compatibility: heterogeneous teams coexist without depending on a single supplier.
- Reliability: RTU incorporates CRC as standard; in TCP it relies on the IP stack.
- Flexibility: Supports RS-232, RS-485, and Ethernet; various topologies.
- Low cost: There are no licenses and the development is light.
In its TCP/IP mode, existing LAN infrastructures are also used. with typical speeds of 10 to 100 Mbit/s, facilitating scalability and centralized management.
Common limitations and variations
Not everything is advantageous; there are also restrictions. derived from its original design for PLC in the late 70s.
- Limited diagnosis and reporting: The master-slave scheme requires periodic polling; there is no standard serial “report by exception” (there are Ethernet implementations with specific notifications).
- Limited addressing on serial bus: up to 254 devices per data link in RTU/ASCII.
- Contiguous transmission: Frames do not support gaps; not all remote media tolerate this without buffering.
- Non-existent native security: It does not incorporate authentication or encryption; it must be reinforced with VPNs, firewalls, ACLs, etc.
- Types of historical data: The base standard focuses on 1-bit and 16-bit; binary large objects are not supported.
- Variable metadata: There is no standard way to announce the meaning/scale of a record (e.g., “temperature 30 to 175°C”).
Frequent implementation variations These include IEEE 754 floats, 32-bit integers, packed 8-bit data, bit fields within integers, multipliers (10, 100, 1000, 256) for scaling magnitudes, slave addresses extended to 16 bits, or 32-bit responses per address on some devices.
Physical Layers and RS-485: Field Notes
- Long distance: up to ~1200 m with adjustable speeds depending on the section.
- Multipoint: dozens of nodes share the same bus with logical addressing.
- Best Practices: terminations, polarization and bus topologies (avoid “stars”).
Compared to RS-232, RS-485 is preferable for long runs and networks with multiple devices., keeping costs low and wiring simple.
Real case studies
Plant migration: from RTU to TCP with gateway
An automotive component manufacturer needed to expand its production and moved from a pure Modbus RTU network to a mixed environment with Modbus TCP / IP over CAT6 Ethernet. The original RS-485 was retained for legacy equipment and a Modbus TCP–RTU gateway to route data between both worlds, achieving scaling without stopping the plant.
Electric utility: SCADA over Modbus TCP with cybersecurity reinforcement
An electric company modernized its SCADA migrating from traditional RTU to Modbus TCP/IP over a private Ethernet network. Given the security requirement, he deployed VPN between substations, managed switches, firewalls y role-based access controlResult: High-availability monitoring and control, with reduced exposure to remote intrusions.
Low-Level Modbus API in LabVIEW: Control and Redundancy
When you need to fine-tune sequences and timing, the LabVIEW low-level API for Modbus is the way to go.It offers flexibility, but requires greater responsibility in managing states and errors.
Introductory example (Modbus Library.lvproj)- In a typical implementation, a master instance (TCP or Serial) is created, functions are issued such as Read Input Registers and the session is closed by releasing the TCP connection or the NI-VISA resource. The pattern is the classic open–read/write–close, with differences between master (requests via network) and slave (operates on its local storage).
Advanced example with redundant masters: an architecture with two active teachers query the same slave; if one loses connection to the slave or the HMI, the other assumes uninterrupted operation. This is a useful approach when the goal is Fault tolerance in front of critical gateways or sensors.
Modbus TCP in practice
Modbus TCP establishes a client-server scheme which works wonders on local networks; keeping nodes on the same subnet simplifies discovery and management. All requests are routed through the port 502/TCP, usually in half duplex per connection: there is no advantage to stacking requests without waiting for a response.
The device address can be used to reach RTU nodes through gateways. referencing the gateway IP and the remote device's Unit ID. Modbus/TCP has been standardized since 2007 (IEC 61158 and IEC 61784-2).
RTU vs. TCP vs. ASCII: When to Use Each
Modbus RTU shines in robust and economical serial buses; Modbus TCP It is ideal when you want to scale, integrate with LAN/IT and connect many devices; Modbus ASCII It has a residual use today, useful in environments where reading the plots “by eye” is still valuable.
- RTU: Compact binary, CRC, ideal for short/medium distances with RS-485.
- TCP: Ethernet/IP, higher speed and range, unlimited IP addresses.
- ASCII: readable, with LRC, useful for debugging and historical compatibility.
Supported software: SCADA and HMI
Modbus is ubiquitous in SCADA/HMI platforms. Solutions that typically provide native support include Citect, ICONICS, iFIX, InduSoft, InTouch/Wonderware, Trace Mode, Wizcon, Entivity (Studio/Live/VLC), among others.
Applications: energy, BMS and electric mobility
Integrated with SCADA, Modbus provides a centralized view of the status and operation of energy assets. (substations, transformer centers, distribution automation), enabling predictive maintenance and improved availability.
In building management systems (BMS)Modbus helps orchestrate air conditioning, lighting, generator sets, or storage, with a direct impact on energy efficiency and costs.
In electric vehicle charging, Modbus provides interoperability with inverters and smart meters.For example, the charging point Trydan It uses Modbus RTU to remotely operate and read meters, integrating with photovoltaic systems; the chargers Pole Pro They can be connected via Modbus TCP for fine control of the load.
Specialized companies like Cuerva put data at the center to detect inefficiencies, optimize facilities, and deploy predictive, preventive, and corrective maintenance plans that increase equipment reliability.
How to connect a Modbus network: keys and parameters
Before wiring, obtain the manufacturer's documentation to understand record mapping and communication parameters. It's the GPS of the project.
- Physical: RTU over RS-485/RS-232; TCP over Ethernet (RJ45/IP65 connectors in industrial environments).
- Parameters: baud rate, data/parity/stop bits (in serial), IP/ports (in TCP), slave address/Unit ID.
- Records!: know the addresses of coils/inputs/holding/input registers and scales (multipliers, offsets).
In TCP, each device uses an IP address. and communication is encapsulated in TCP/IP packets. On a serial bus, it takes care of terminations, lengths, and derivations so that the signal arrives cleanly.
