← Home

Modbus TCP

Modbus TCP is the Ethernet implementation of the Modbus protocol. Rather than transmitting messages over serial communication links such as RS-232 or RS-485, Modbus TCP encapsulates Modbus Application Protocol (MBAP) messages within standard TCP/IP packets and transports them across Ethernet networks.

Developed in the late 1990s, Modbus TCP allows industrial devices to communicate using existing Ethernet infrastructure, providing higher communication speeds, greater scalability, and easier integration with enterprise networks. It has become one of the most widely deployed industrial Ethernet protocols and is supported by virtually every major automation vendor.

Although the underlying Modbus function codes and register model remain unchanged from Modbus RTU, the transport mechanism differs significantly. Modbus TCP replaces serial addressing, timing, and CRC error checking with standard Ethernet, IP, and TCP networking mechanisms.

Modbus TCP Overview
Figure – Modbus TCP communication over Ethernet using TCP/IP.

Why Modbus TCP was Developed

As industrial facilities expanded and Ethernet became the standard networking technology, serial communication networks began to show limitations.

Compared to Modbus RTU, Ethernet offered:

Rather than creating a completely new protocol, Modbus messages were simply encapsulated within TCP/IP packets, preserving compatibility while leveraging Ethernet networking.


Communication Architecture

Unlike Modbus RTU, which uses a single Master communicating with multiple Slaves over a shared serial bus, Modbus TCP uses a Client/Server architecture over Ethernet.

A Client initiates requests to one or more Servers, which respond with the requested data.

Typical Clients include:

Typical Servers include:

Unlike serial Modbus, multiple Clients can communicate with the same Server simultaneously through independent TCP sessions.


How Modbus TCP Works

Ethernet Communication

Modbus TCP operates using the standard TCP/IP protocol stack.

+-------------------------------+
| Modbus Application Protocol   |
+-------------------------------+
| TCP                           |
+-------------------------------+
| IP                            |
+-------------------------------+
| Ethernet                      |
+-------------------------------+
| Physical Layer                |
+-------------------------------+

Each layer performs a specific function:


Connection Establishment

Before any Modbus data is exchanged, a TCP connection must be established.

This begins with the standard TCP three-way handshake:

  1. Client sends a SYN packet.
  2. Server responds with SYN-ACK.
  3. Client replies with ACK.

Once the connection is established, Modbus requests and responses are exchanged over the reliable TCP session. Unlike Modbus RTU, there are no communication timing gaps or inter-frame delays to manage, as TCP handles packet delivery and sequencing.


TCP Port

Modbus TCP uses the well-known TCP Port 502.

When a client initiates communication, it connects to the server's IP address on port 502.

For example:

SCADA Server
192.168.1.10
      ↓
PLC
192.168.1.50:502

This standard port enables industrial firewalls, intrusion detection systems, and packet analysers such as Wireshark to identify Modbus TCP traffic automatically.


MBAP Header

Instead of using the CRC and slave addressing found in Modbus RTU, Modbus TCP adds a Modbus Application Protocol (MBAP) Header.

The MBAP Header is 7 bytes long and contains:

Field Purpose
Transaction Identifier Matches requests with responses.
Protocol Identifier Always 0 for Modbus.
Length Indicates the number of bytes following the header.
Unit Identifier Used primarily when communicating through Modbus gateways to serial devices.

The MBAP Header replaces the addressing and error-checking functions used in Modbus RTU.


Message Structure

A Modbus TCP frame consists of:

Ethernet Header
      ↓
IP Header
      ↓
TCP Header
      ↓
MBAP Header
      ↓
Function Code
      ↓
Data

Unlike Modbus RTU, there is no CRC, as TCP already provides checksum and error detection mechanisms.


Communication Sequence

A typical Modbus TCP transaction follows these steps:

  1. Client establishes a TCP session.
  2. Client sends a Modbus request.
  3. Server receives the request.
  4. Server validates the function code and register address.
  5. Server reads or writes the requested data.
  6. Server returns a response.
  7. Client processes the returned values.

This sequence may occur many times per second as the client polls process data.


Multiple Client Communications

Unlike Modbus RTU, Modbus TCP supports multiple concurrent TCP connections.

For example:

             SCADA
                │
                │
Historian ─── PLC ─── Engineering Workstation
                │
               HMI

Each client maintains an independent TCP session with the PLC. The PLC processes each request individually, allowing multiple systems to access the same process data simultaneously.


Typical IACS Architecture

A typical Industrial Automation and Control System using Modbus TCP may include:

Enterprise Network
        │
Industrial Firewall
        │
DMZ
        │
Industrial Firewall
        │
Industrial Ethernet Switch
   ├────────────┬────────────┬────────────┐
 PLC 1       PLC 2      Remote I/O     VSD
   │             │             │          │
 Field Devices and Instrumentation

This architecture supports secure segmentation between enterprise IT and operational technology (OT) networks while allowing controlled access to industrial assets.


Packet Capture (PCAP) Analysis

Because Modbus TCP operates over Ethernet, it can be captured using standard packet capture tools such as Wireshark.

Useful display filters include:

Typical information visible in a packet capture includes:

Unlike encrypted protocols, Modbus TCP payloads are transmitted in clear text, making them easy to inspect.


Deep Packet Inspection (DPI)

Many industrial firewalls provide Deep Packet Inspection (DPI) for Modbus TCP.

Unlike traditional IT firewalls that filter only by IP address and TCP port, DPI-enabled industrial firewalls inspect the Modbus payload itself.

For example, firewall rules may:

This provides much finer control over industrial communications and supports the defence-in-depth principles of ISA/IEC 62443.


Cybersecurity Considerations

Modbus TCP provides no native cybersecurity features. The protocol does not support:

An attacker with network access may be able to:

Because the protocol operates over Ethernet, these attacks can potentially be launched remotely if network segmentation is inadequate.


ISA/IEC 62443 Considerations

Modbus TCP is considered a legacy industrial protocol and should be protected through compensating security controls rather than relying on the protocol itself.

Recommended controls include:

These controls help satisfy the system-level security requirements defined in ISA/IEC 62443.


Advantages


Limitations


Key Takeaways


Related Topics


Standards References