Modbus TCP/IP brings the simplicity of the Modbus protocol onto modern Ethernet networks. Instead of serial cables and RS-485 wiring, you use standard Ethernet infrastructure — switches, routers, and Cat5e/Cat6 cables.
The protocol works the same way as Modbus RTU at the application level. You still read holding registers, write coils, and use the same function codes. The difference is the transport layer: TCP/IP replaces serial framing, CRC checks, and slave addressing with IP addresses, TCP connections, and a new header called MBAP.
This guide covers everything you need to get Modbus TCP/IP running — from network setup to client/server configuration, MBAP header structure, gateway bridging to RTU devices, and security considerations.
In This Guide
1. Modbus TCP/IP vs. Modbus RTU: Key Differences
Before diving into configuration, understand what changes when you move from RTU to TCP/IP — and what stays the same.
| Feature | Modbus RTU | Modbus TCP/IP |
|---|---|---|
| Physical layer | RS-485 / RS-232 serial | Ethernet (Cat5e/Cat6, fiber) |
| Addressing | Slave address (1–247) | IP address + Unit Identifier |
| Error checking | CRC-16 in every frame | TCP handles error detection (no CRC in Modbus frame) |
| Framing | Timing-based (T3.5 silent gap) | TCP packet boundaries (MBAP header with length field) |
| Topology | Daisy-chain bus | Star topology via Ethernet switch |
| Speed | Up to 115200 baud | 10/100/1000 Mbps |
| Connections | One master on the bus | Multiple clients can connect to the same server simultaneously |
| Port | COM port (serial) | TCP port 502 |
| Terminology | Master / Slave | Client / Server |
What stays the same: The function codes, register types, data model, and addressing rules are identical. FC 03 reads holding registers in both RTU and TCP. The register map does not change.
2. How Modbus TCP/IP Works
Modbus TCP/IP uses a client/server model over standard TCP connections.
The client (typically a SCADA system, HMI, or PLC acting as master) initiates a TCP connection to the server on port 502. It then sends Modbus requests and waits for responses.
The server (typically an RTU, I/O module, sensor, or PLC) listens on port 502, processes incoming requests, and returns responses.
The communication flow:
- Client opens a TCP connection to the server’s IP address on port 502.
- Client sends a Modbus request wrapped in an MBAP header.
- Server receives the request, processes it, and sends a response.
- The TCP connection stays open for subsequent requests — you do not need to reconnect for each transaction.
- When done, the client closes the TCP connection.
Unlike Modbus RTU where only one master can exist on the bus, Modbus TCP allows multiple clients to connect to a single server at the same time. The server handles each connection independently.
3. The MBAP Header Explained
Modbus TCP replaces the RTU frame’s slave address and CRC with a 7-byte header called the MBAP (Modbus Application Protocol) header. Understanding this header helps when debugging with tools like Wireshark.
| Field | Size | Description |
|---|---|---|
| Transaction ID | 2 bytes | A unique number set by the client. The server copies it into the response. Used to match requests with responses when multiple transactions are in progress. |
| Protocol ID | 2 bytes | Always 0x0000 for Modbus. |
| Length | 2 bytes | Number of bytes that follow (Unit ID + PDU). |
| Unit ID | 1 byte | Identifies the target device. Set to 0xFF or 0x01 for direct communication. Used for gateway routing to serial slaves. |
After the MBAP header, the rest of the message is identical to Modbus RTU — function code followed by data. No CRC is needed because TCP already provides reliable delivery with its own checksums.
Example: Read 10 Holding Registers Starting at Address 0
Request (client to server):
[Transaction ID: 0x0001] [Protocol ID: 0x0000] [Length: 0x0006] [Unit ID: 0x01]
[Function Code: 0x03] [Start Address: 0x0000] [Quantity: 0x000A]Response (server to client):
[Transaction ID: 0x0001] [Protocol ID: 0x0000] [Length: 0x0017] [Unit ID: 0x01]
[Function Code: 0x03] [Byte Count: 0x14] [Register Data: 20 bytes]The transaction ID 0x0001 matches in both — confirming this response belongs to that specific request.
4. Network Setup and IP Planning
Basic Network Requirements
| Component | Requirement |
|---|---|
| Ethernet cable | Cat5e or Cat6, shielded recommended in industrial environments |
| Network switch | Managed switch preferred for diagnostics and VLAN segmentation |
| IP addressing | Static IP addresses for all Modbus devices (do not use DHCP) |
| Subnet | All Modbus devices on the same subnet unless routed |
| Port | TCP port 502 must be open between client and server |
IP Address Planning
Assign a dedicated subnet for your Modbus TCP network. Keep it separate from the corporate IT network. A common approach:
- Modbus TCP subnet: 192.168.1.0/24
- Client (SCADA/HMI): 192.168.1.1
- Server device 1: 192.168.1.10
- Server device 2: 192.168.1.11
- Gateway to RTU bus: 192.168.1.20
💡 Pro Tip: Always use static IP addresses for Modbus devices. DHCP-assigned addresses can change after a power cycle, breaking your SCADA configuration. Document every IP address in a spreadsheet before commissioning.
5. Step-by-Step: Configure the Server (Slave)
The server is the device that holds data and responds to client requests. This could be a PLC, RTU, power meter, sensor, or I/O module.
Step 1. Assign a Static IP Address
Configure the IP address, subnet mask, and gateway on the device. Most devices have a web interface, front panel, or configuration software for this. Example:
- IP Address: 192.168.1.10
- Subnet Mask: 255.255.255.0
- Gateway: 192.168.1.1 (only needed if client is on a different subnet)
Step 2. Set the Modbus TCP Port
The default is port 502. Leave it at 502 unless your organization requires a different port. If you change it, the client must be configured to use the same port.
Step 3. Set the Unit Identifier
For direct Modbus TCP communication (no gateway), set the Unit ID to 1 or 255 (0xFF). The server will respond regardless of the Unit ID in most implementations.
If this device sits behind a gateway that routes to serial slaves, the Unit ID must match the slave address of the target RTU device.
Step 4. Configure the Register Map
Map your device’s I/O points to Modbus registers. This is device-specific — refer to your manufacturer’s documentation. Common mappings:
| Data | Register Type | Typical Address Range |
|---|---|---|
| Digital inputs | Discrete Inputs (1xxxx) | FC 02 |
| Digital outputs | Coils (0xxxx) | FC 01 / FC 05 |
| Analog inputs | Input Registers (3xxxx) | FC 04 |
| Setpoints and config | Holding Registers (4xxxx) | FC 03 / FC 06 / FC 16 |
Step 5. Set Connection Limits
Some devices let you configure the maximum number of simultaneous client connections. A typical range is 4 to 16 connections. Set this based on how many clients will poll this device.
6. Step-by-Step: Configure the Client (Master)
The client is the SCADA system, HMI, or PLC that polls the servers for data and sends control commands.
Step 1. Add Server Devices
For each Modbus TCP server, create an entry with:
- Server IP address (e.g., 192.168.1.10)
- TCP port (502)
- Unit ID (1 for direct, or the RTU slave address when going through a gateway)
Step 2. Define Poll Groups
Group your register reads by device and register range. Each poll group defines:
| Parameter | Setting | Notes |
|---|---|---|
| Function code | FC 03, FC 04, FC 01, FC 02 | Match the register type |
| Start address | Zero-based offset | Register 40001 = address 0 |
| Quantity | 1 to 125 registers per request | Max 125 holding registers per single FC 03 request |
| Poll interval | 100 ms to 10 seconds | Depends on data freshness needs |
Step 3. Set Timeouts and Retries
| Parameter | Recommended Value | Notes |
|---|---|---|
| Connection timeout | 3–5 seconds | Time to establish TCP connection |
| Response timeout | 1–3 seconds | Time to wait for response after sending request |
| Retry count | 2–3 | Retries on timeout before marking device offline |
| Reconnect interval | 10–30 seconds | Time to wait before retrying a failed connection |
Step 4. Keep the Connection Open
The Modbus TCP specification recommends keeping TCP connections open rather than opening and closing them for each transaction. Constant reconnecting wastes time and resources. Most SCADA software does this automatically.
7. Multiple Connections and Transaction Management
One of the advantages of Modbus TCP over RTU is the ability to handle multiple simultaneous connections.
Multiple Clients, One Server
Several SCADA systems, HMIs, or PLCs can all connect to the same Modbus TCP server at the same time. The server handles each TCP connection independently.
However, too many clients polling the same server at high frequency can overload it. Check the server’s maximum connection count and response time specs.
Transaction Identifiers
When a client sends multiple requests without waiting for each response (pipelining), the Transaction ID in the MBAP header is used to match responses to their requests. The client should increment the Transaction ID for each new request.
One PDU Per TCP Frame
The Modbus specification recommends sending only one Modbus request per TCP packet. Do not bundle multiple Modbus requests into a single TCP frame — some servers cannot handle it.
8. Bridging Modbus TCP to Modbus RTU via Gateway
Many field devices only support Modbus RTU over RS-485. A Modbus TCP/RTU gateway bridges the two worlds.
How It Works
- The SCADA client sends a Modbus TCP request to the gateway’s IP address.
- The gateway reads the Unit ID from the MBAP header.
- The gateway converts the request to Modbus RTU, using the Unit ID as the slave address.
- The gateway sends the RTU request to the serial bus.
- The RTU slave responds to the gateway.
- The gateway converts the response back to Modbus TCP and sends it to the client.
Gateway Configuration
| Parameter | Setting |
|---|---|
| Gateway IP | Static IP on the Modbus TCP network |
| TCP port | 502 |
| Serial port | Baud rate, parity, stop bits — must match the RTU slaves |
| Slave address range | Define which Unit IDs are routed to which serial port |
Important Considerations
- Response time increases. The gateway adds latency — it must complete the serial RTU transaction before responding to the TCP client. Set client timeouts accordingly (3–5 seconds minimum).
- One serial transaction at a time. Even if multiple TCP clients send requests simultaneously, the gateway queues them and sends one RTU request at a time on the serial bus.
- Unit ID = Slave address. The MBAP Unit ID must match the RTU slave address on the serial side. If your RTU slave is address 5, the client must set Unit ID to 5.
9. Security Considerations
Modbus TCP has no built-in authentication or encryption. Any device on the network that can reach port 502 can read registers, write values, and send control commands. This is a serious risk.
Risks
- Unauthorized reads: An attacker can read all process data.
- Unauthorized writes: An attacker can change setpoints, open/close valves, or trip breakers.
- Denial of service: Flooding port 502 with connections can exhaust server resources.
- Man-in-the-middle: Without encryption, traffic can be intercepted and modified.
Mitigation Measures
- Network segmentation: Keep the Modbus TCP network on a separate VLAN or physical network. Do not connect it to the corporate LAN or internet.
- Firewall rules: Restrict access to port 502. Only allow known SCADA/HMI IP addresses.
- VPN tunnels: If Modbus TCP must cross untrusted networks, wrap it in a VPN.
- Access control lists: Some devices support IP-based access control — configure the server to accept connections only from specific client IPs.
- Monitoring: Deploy intrusion detection systems on the SCADA network to detect unauthorized Modbus traffic.
- Disable unused ports: If a device has a web interface or other services, disable them if not needed.
⚠️ Warning: Never expose TCP port 502 to the internet. A single unprotected Modbus TCP device can give an attacker full control over industrial equipment. Always assume that any device reachable on port 502 can be read and written by anyone on that network.
10. Troubleshooting Common Issues
| Problem | Likely Cause | Solution |
|---|---|---|
| Cannot connect to server | Wrong IP address, port blocked, or device offline | Ping the server IP. Check firewall rules. Verify port 502 is open. |
| Connection drops frequently | TCP keep-alive not configured or server connection limit reached | Enable TCP keep-alive. Check max connections on the server. |
| Timeout errors | Server overloaded or response timeout too short | Increase timeout to 3–5 seconds. Reduce polling frequency. |
| Wrong data values | Zero-based offset mismatch or wrong function code | Verify addressing convention. Check FC 03 vs FC 04. |
| Exception code 02 (Illegal Address) | Register address does not exist on the server | Check device register map. Remember: register 40001 = address 0. |
| Reads work but writes fail | Unit ID mismatch or register is read-only | Check Unit ID. Verify the register type allows writing. |
| Gateway returns timeout | RTU slave not responding on serial side | Check serial wiring, baud rate, and slave address on the RTU side. |
| Data from gateway is slow | Serial bus bottleneck — RTU is slower than TCP | Accept the latency or split high-priority and low-priority polls. |
| All registers return zero | Connected to wrong device or register range empty | Verify the server IP. Try reading the device ID register first. |
| Wireshark shows retransmissions | Network congestion or server processing too slow | Check network health. Reduce number of simultaneous clients. |
Summary
Setting up Modbus TCP/IP is simpler than RTU in many ways — no RS-485 wiring, no termination resistors, no baud rate matching across a bus. But it introduces its own requirements: proper IP planning, firewall management, connection handling, and security hardening.
Here is a quick checklist before going live:
- All devices have static IP addresses on the same subnet
- TCP port 502 is open between clients and servers
- Client timeouts are set long enough (especially when using gateways)
- Unit ID matches the target device (or RTU slave address for gateways)
- Register addresses use the correct zero-based offset
- Network is segmented and firewalled from untrusted networks
- Connection limits are set on each server device
Modbus TCP takes a protocol that has been proven for over 45 years and puts it on modern Ethernet. When the network is set up right and secured properly, it is reliable, fast, and easy to maintain.