Learn Modbus

Understand the Modbus protocol from the ground up - perfect for beginners and professionals

On This Page

What is Modbus? How Modbus Works TCP vs RTU Function Codes Registers & Data Types Common Use Cases Video Tutorials Glossary
Fundamentals

What is Modbus?

Modbus is a serial communication protocol originally published by Modicon (now Schneider Electric) in 1979 for use with programmable logic controllers (PLCs). It has since become a de facto standard in industrial automation and is one of the most widely used protocols for connecting electronic devices in factories, power plants, and building automation systems.

Why Modbus is Still Popular

  • Simple & Open - Easy to implement, royalty-free, and well-documented
  • Widely Supported - Supported by virtually every industrial device manufacturer
  • Reliable - Proven over 45+ years of industrial use
  • Interoperable - Devices from different vendors can communicate seamlessly

A Brief History

1979

Modicon publishes the original Modbus specification for serial communication (RTU/ASCII)

1999

Modbus TCP/IP is released, bringing Modbus to Ethernet networks

2004

Modbus Organization takes over protocol management and maintenance

Today

Still the most widely used industrial protocol worldwide, with millions of devices deployed

Architecture

How Modbus Works

Modbus uses a Master/Slave (also called Client/Server) architecture. The master device initiates requests, and slave devices respond with the requested data or perform the requested action.

Communication Flow

Master (Client) Sends requests
Request → ← Response
Slave (Server) Processes & responds

Key Concepts

Slave ID / Unit ID

Each slave device has a unique address (1-247). The master uses this ID to target a specific device. ID 0 is reserved for broadcast messages.

Function Code

A numeric code (1-127) that tells the slave what operation to perform - read coils, write registers, etc.

Data Payload

Contains the register addresses, quantities, and values depending on the function code being used.

Error Checking

CRC (RTU) or LRC (ASCII) checksum for serial. TCP uses the built-in TCP/IP error detection.

Request/Response Example

Master sends: [Slave ID] [Function Code] [Start Address] [Quantity] [CRC]
Example: 01 03 00 00 00 0A C5 CD
Slave responds: [Slave ID] [Function Code] [Byte Count] [Data...] [CRC]
Example: 01 03 14 00 64 00 C8 ... 3A 7B

This example reads 10 holding registers starting from address 0 on slave ID 1

Comparison

Modbus TCP vs Modbus RTU

Modbus comes in two primary variants. Both carry the same type of data, but the transport layer and frame format differ.

Aspect Modbus RTU Modbus TCP/IP
Physical Layer RS-485 / RS-232 serial Ethernet (Cat5/Cat6)
Network Topology Daisy chain (bus) Star (switch-based)
Speed Up to 115,200 baud 10/100/1000 Mbps
Max Devices 247 per bus Virtually unlimited
Cable Distance Up to 1,200m (RS-485) 100m per segment
Error Detection CRC-16 checksum TCP/IP built-in
Masters Single master only Multiple clients
Default Port COM port (serial) TCP port 502
Best For Simple, short-distance, cost-effective setups Complex networks, long distance, high speed

Modbus RTU Frame

Slave ID 1 byte
Function 1 byte
Data N bytes
CRC 2 bytes

Modbus TCP Frame

Trans ID 2 bytes
Protocol 2 bytes
Length 2 bytes
Unit ID 1 byte
Function 1 byte
Data N bytes

TCP adds a 7-byte MBAP header and removes the CRC (TCP/IP handles error checking)

Reference

Modbus Function Codes

Function codes tell the slave device what action to perform. Here are the most commonly used function codes, all supported by ModbusBB.

Read Functions

FC 01
Read Coils

Read the ON/OFF status of discrete outputs (coils). Returns a bit array.

FC 02
Read Discrete Inputs

Read the ON/OFF status of discrete inputs. Similar to FC 01 but for read-only inputs.

FC 03
Read Holding Registers

Read the contents of holding registers (read/write 16-bit values). The most commonly used function.

FC 04
Read Input Registers

Read the contents of input registers (read-only 16-bit values). Used for sensor data.

Write Functions

FC 05
Write Single Coil

Set a single coil to ON (0xFF00) or OFF (0x0000).

FC 06
Write Single Register

Write a single 16-bit value to a holding register.

FC 15
Write Multiple Coils

Set multiple coils to ON/OFF in a single request. More efficient than multiple FC 05 calls.

FC 16
Write Multiple Registers

Write to multiple consecutive holding registers in one request. Essential for 32-bit values.

Exception Responses

When a slave device cannot process a request, it returns an exception response with an error code:

0x01
Illegal Function

The function code is not supported by the slave device.

0x02
Illegal Data Address

The requested register address does not exist on the device.

0x03
Illegal Data Value

The value in the request is not acceptable (e.g., out of range).

0x04
Slave Device Failure

An internal error occurred in the slave while processing the request.

Data Model

Registers & Data Types

Modbus organizes data into four types of memory areas. Understanding these is essential for working with any Modbus device.

Coils

Address Range: 00001 - 09999

Type: Single bit (ON/OFF)

Access: Read/Write

Function Codes: FC 01, 05, 15

Example: Relay outputs, motor start/stop, valve open/close

Discrete Inputs

Address Range: 10001 - 19999

Type: Single bit (ON/OFF)

Access: Read Only

Function Code: FC 02

Example: Limit switches, push buttons, sensor status

Input Registers

Address Range: 30001 - 39999

Type: 16-bit word (0 - 65535)

Access: Read Only

Function Code: FC 04

Example: Temperature sensors, analog inputs, measured values

Holding Registers

Address Range: 40001 - 49999

Type: 16-bit word (0 - 65535)

Access: Read/Write

Function Codes: FC 03, 06, 16

Example: Setpoints, configuration, control parameters

Common Data Formats

While Modbus registers are 16-bit, real-world values often require different data formats. ModbusBB supports all of these:

16-bit Integer

Single register. Unsigned (0 to 65,535) or signed (-32,768 to 32,767). Most common format.

32-bit Integer

Two consecutive registers combined. Unsigned (0 to ~4.29 billion) or signed. Byte order matters.

Float32 (IEEE 754)

Two registers forming a 32-bit floating point value. Used for temperatures, pressures, flow rates.

Byte Order

For 32-bit values, the byte order (ABCD, DCBA, BADC, CDAB) varies by manufacturer. ModbusBB supports all.

Applications

Common Use Cases

Modbus is used across many industries. Here are some of the most common scenarios where ModbusBB helps engineers and technicians.

Energy & Power

Read power meters, solar inverters, battery management systems, and energy monitoring devices. Track voltage, current, power factor, and kWh consumption.

🏭

Manufacturing & PLC

Communicate with PLCs, VFDs (variable frequency drives), and motor controllers. Read status, write setpoints, and control production lines.

🌡

HVAC & Building Automation

Monitor and control HVAC systems, chillers, boilers, and environmental sensors. Read temperatures, humidity, and control dampers.

💧

Water & Wastewater

Monitor flow meters, level sensors, pump controllers, and treatment systems. Track flow rates, tank levels, and chemical dosing.

🔧

Device Testing & QA

Test new Modbus devices during development. Verify register maps, validate responses, and debug communication issues.

📈

Data Acquisition & SCADA

Collect data from field devices for SCADA systems, historians, and monitoring dashboards. Log values over time for trend analysis.

Watch & Learn

Video Tutorials

These curated videos will help you understand Modbus visually. Great for beginners and as a refresher for experienced users.

How Does Modbus Communication Protocol Work?

How Does Modbus Communication Protocol Work?

A comprehensive introduction to the Modbus protocol, covering the basics of how devices communicate in industrial automation.

Getting Started with Modbus: Basics and Setup

Getting Started with Modbus: Basics and Setup

Learn how to get started with Modbus communication, including setup procedures and configuration basics.

Engineer's Guide to Modbus Testing & Simulation

Engineer's Guide to Modbus Testing & Simulation

A deep dive into Modbus testing, simulation, and programming tools for engineers working with industrial devices.

Troubleshooting Common Modbus Issues

Troubleshooting Common Modbus Issues

Learn how to diagnose and fix common problems when working with Modbus devices and communication.

Want to Practice?

Download ModbusBB and use it alongside these tutorials to practice reading and writing to Modbus devices. The 30-day free trial gives you full access to all features.

Download Free Trial
Reference

Modbus Glossary

Key terms you'll encounter when working with Modbus devices and ModbusBB.

Master / Client
The device that initiates communication by sending requests. ModbusBB acts as a Modbus master/client.
Slave / Server
The device that responds to requests from the master. PLCs, sensors, and meters typically act as slaves. Each has a unique Slave ID (1-247).
Coil
A single-bit data point representing an ON/OFF state. Originally named after relay coils in early PLCs. Can be read and written.
Register
A 16-bit (2 byte) data storage location in a Modbus device. Holds values from 0 to 65,535 (unsigned) or -32,768 to 32,767 (signed).
Holding Register
A read/write register used for configuration values, setpoints, and control parameters. Accessed with FC 03 (read) and FC 06/16 (write).
Input Register
A read-only register used for measured values from sensors. Accessed with FC 04.
Function Code (FC)
A numeric code in a Modbus request that specifies what operation to perform (e.g., FC 03 = Read Holding Registers).
CRC (Cyclic Redundancy Check)
A 2-byte error-checking value appended to Modbus RTU frames to detect data corruption during transmission.
MBAP Header
Modbus Application Protocol header used in Modbus TCP. A 7-byte header that replaces the CRC used in RTU.
Baud Rate
The speed of serial communication measured in bits per second. Common values: 9600, 19200, 38400, 115200.
RS-485
A serial communication standard used by Modbus RTU. Supports multi-drop connections (multiple devices on one bus) up to 1,200 meters.
Polling
Repeatedly sending read requests at regular intervals to monitor changing values. ModbusBB supports polling from 100ms to 10 seconds.
Byte Order / Endianness
The order in which bytes are arranged for multi-register values (32-bit). Common orders: ABCD (Big Endian), DCBA (Little Endian), BADC, CDAB.
IEEE 754 (Float32)
A standard for representing floating-point numbers in 32 bits (2 Modbus registers). Used for temperatures, pressures, and other analog values.

Ready to Put Your Knowledge to Work?

Download ModbusBB and start communicating with your Modbus devices today.

Download Free Trial Read the Docs