Modbus TCP is the Ethernet implementation of the Modbus protocol. Rather than transmitting messages over serial communication links such as RS-232 or RS-485, Modbus TCP encapsulates Modbus Application Protocol (MBAP) messages within standard TCP/IP packets and transports them across Ethernet networks.
Developed in the late 1990s, Modbus TCP allows industrial devices to communicate using existing Ethernet infrastructure, providing higher communication speeds, greater scalability, and easier integration with enterprise networks. It has become one of the most widely deployed industrial Ethernet protocols and is supported by virtually every major automation vendor.
Although the underlying Modbus function codes and register model remain unchanged from Modbus RTU, the transport mechanism differs significantly. Modbus TCP replaces serial addressing, timing, and CRC error checking with standard Ethernet, IP, and TCP networking mechanisms.
As industrial facilities expanded and Ethernet became the standard networking technology, serial communication networks began to show limitations.
Compared to Modbus RTU, Ethernet offered:
Rather than creating a completely new protocol, Modbus messages were simply encapsulated within TCP/IP packets, preserving compatibility while leveraging Ethernet networking.
Unlike Modbus RTU, which uses a single Master communicating with multiple Slaves over a shared serial bus, Modbus TCP uses a Client/Server architecture over Ethernet.
A Client initiates requests to one or more Servers, which respond with the requested data.
Typical Clients include:
Typical Servers include:
Unlike serial Modbus, multiple Clients can communicate with the same Server simultaneously through independent TCP sessions.
Modbus TCP operates using the standard TCP/IP protocol stack.
+-------------------------------+ | Modbus Application Protocol | +-------------------------------+ | TCP | +-------------------------------+ | IP | +-------------------------------+ | Ethernet | +-------------------------------+ | Physical Layer | +-------------------------------+
Each layer performs a specific function:
Before any Modbus data is exchanged, a TCP connection must be established.
This begins with the standard TCP three-way handshake:
Once the connection is established, Modbus requests and responses are exchanged over the reliable TCP session. Unlike Modbus RTU, there are no communication timing gaps or inter-frame delays to manage, as TCP handles packet delivery and sequencing.
Modbus TCP uses the well-known TCP Port 502.
When a client initiates communication, it connects to the server's IP address on port 502.
For example:
SCADA Server
192.168.1.10
↓
PLC
192.168.1.50:502
This standard port enables industrial firewalls, intrusion detection systems, and packet analysers such as Wireshark to identify Modbus TCP traffic automatically.
Instead of using the CRC and slave addressing found in Modbus RTU, Modbus TCP adds a Modbus Application Protocol (MBAP) Header.
The MBAP Header is 7 bytes long and contains:
| Field | Purpose |
|---|---|
| Transaction Identifier | Matches requests with responses. |
| Protocol Identifier | Always 0 for Modbus. |
| Length | Indicates the number of bytes following the header. |
| Unit Identifier | Used primarily when communicating through Modbus gateways to serial devices. |
The MBAP Header replaces the addressing and error-checking functions used in Modbus RTU.
A Modbus TCP frame consists of:
Ethernet Header
↓
IP Header
↓
TCP Header
↓
MBAP Header
↓
Function Code
↓
Data
Unlike Modbus RTU, there is no CRC, as TCP already provides checksum and error detection mechanisms.
A typical Modbus TCP transaction follows these steps:
This sequence may occur many times per second as the client polls process data.
Unlike Modbus RTU, Modbus TCP supports multiple concurrent TCP connections.
For example:
SCADA
│
│
Historian ─── PLC ─── Engineering Workstation
│
HMI
Each client maintains an independent TCP session with the PLC. The PLC processes each request individually, allowing multiple systems to access the same process data simultaneously.
A typical Industrial Automation and Control System using Modbus TCP may include:
Enterprise Network
│
Industrial Firewall
│
DMZ
│
Industrial Firewall
│
Industrial Ethernet Switch
├────────────┬────────────┬────────────┐
PLC 1 PLC 2 Remote I/O VSD
│ │ │ │
Field Devices and Instrumentation
This architecture supports secure segmentation between enterprise IT and operational technology (OT) networks while allowing controlled access to industrial assets.
Because Modbus TCP operates over Ethernet, it can be captured using standard packet capture tools such as Wireshark.
Useful display filters include:
modbustcp.port == 502ip.addr == 192.168.1.50Typical information visible in a packet capture includes:
Unlike encrypted protocols, Modbus TCP payloads are transmitted in clear text, making them easy to inspect.
Many industrial firewalls provide Deep Packet Inspection (DPI) for Modbus TCP.
Unlike traditional IT firewalls that filter only by IP address and TCP port, DPI-enabled industrial firewalls inspect the Modbus payload itself.
For example, firewall rules may:
This provides much finer control over industrial communications and supports the defence-in-depth principles of ISA/IEC 62443.
Modbus TCP provides no native cybersecurity features. The protocol does not support:
An attacker with network access may be able to:
Because the protocol operates over Ethernet, these attacks can potentially be launched remotely if network segmentation is inadequate.
Modbus TCP is considered a legacy industrial protocol and should be protected through compensating security controls rather than relying on the protocol itself.
Recommended controls include:
These controls help satisfy the system-level security requirements defined in ISA/IEC 62443.