Modbus TCP Protocol Explained: MBAP Header, Examples & RTU Comparison

What is Modbus TCP?

Modbus TCP (also called Modbus TCP/IP) is the Modbus protocol adapted for modern TCP/IP networks. It encapsulates standard Modbus frames inside TCP packets, allowing industrial devices to communicate over standard Ethernet infrastructure.

Published by Modbus-IDA (now the Modbus Organization) in 1999, Modbus TCP was designed to bring the simplicity and reliability of Modbus to Ethernet networks. It uses IANA-registered port 502 and requires no special hardware beyond a standard network interface.

Because it leverages existing Ethernet and IP infrastructure, Modbus TCP is easily integrated into corporate networks, supports remote access over VPNs, and can be routed across subnets. These are capabilities that serial Modbus RTU cannot offer.

How Modbus TCP Communication Works

Modbus TCP uses a client-server model (the updated terminology for master-slave). A client opens a TCP connection to a server on port 502, sends a Modbus request, and the server processes it and returns a response over the same connection.

Unlike Modbus RTU, multiple client connections can be active simultaneously. The TCP connection typically remains open for the duration of communication, and transaction IDs in the header allow clients to match responses to their original requests, even when multiple requests are in flight.

The function codes and data structures are identical to Modbus RTU, which means migrating from RTU to TCP requires minimal application-level changes. The key difference is in the framing: TCP uses an MBAP header instead of the RTU address and CRC fields.

Modbus TCP uses a persistent TCP connection on port 502.

Modbus TCP Frame Structure: The MBAP Header

Modbus TCP replaces the RTU framing (address + CRC) with the MBAP header (Modbus Application Protocol header). This 7-byte header precedes the standard PDU (function code + data).

The MBAP header contains four fields. The Transaction ID (2 bytes) matches request-response pairs, allowing asynchronous operations. The Protocol ID (2 bytes) is always 0x0000 for Modbus. The Length field (2 bytes) indicates how many bytes follow. The Unit ID (1 byte) identifies a downstream RTU slave when the TCP server acts as a gateway to a serial network.

Because TCP/IP already provides reliable delivery with its own checksum and retransmission mechanisms, Modbus TCP does not need the CRC-16 error check used in RTU framing. This simplifies implementation and reduces per-frame overhead.

Modbus TCP wraps the standard PDU in an MBAP header instead of using the RTU address and CRC fields. TCP/IP handles error detection.

Modbus TCP Request and Response Examples

Below are real-world Modbus TCP request and response examples shown in hexadecimal. Each frame starts with the 7-byte MBAP header, followed by the function code and data (the PDU). There is no CRC since TCP handles error checking.

Example 1: Read Holding Registers (Function Code 0x03)

The client reads 3 holding registers starting at address 0 from Unit ID 1. This is the most common Modbus operation for reading sensor values.

Request (Client to Server)

00 01 00 00 00 06 01 03 00 00 00 03

MBAP Header:

00 01 = Transaction ID 100 00 = Protocol ID (Modbus)00 06 = 6 bytes follow01 = Unit ID 1

PDU:

03 = Read Holding Registers00 00 = Start register 000 03 = Read 3 registers

Response (Server to Client)

00 01 00 00 00 09 01 03 06 00 64 00 C8 01 2C

MBAP Header:

00 01 = Transaction ID 1 (matches)00 00 = Protocol ID00 09 = 9 bytes follow01 = Unit ID 1

PDU:

03 = Function code echo06 = 6 data bytes00 64 = Reg 0 = 10000 C8 = Reg 1 = 20001 2C = Reg 2 = 300

Example 2: Write Multiple Registers (Function Code 0x10)

The client writes values 100 and 200 to holding registers 10 and 11 on Unit ID 1. This is commonly used to update multiple setpoints in a single request.

Request (Client to Server)

00 02 00 00 00 0B 01 10 00 0A 00 02 04 00 64 00 C8

00 02 = Transaction ID 201 = Unit ID10 = Write Multiple Regs00 0A = Start register 1000 02 = Write 2 registers04 = 4 data bytes00 64 = Value 10000 C8 = Value 200

Response (Server to Client)

00 02 00 00 00 06 01 10 00 0A 00 02

Response confirms 2 registers were written starting at register 10.

Modbus TCP Exception (Error) Codes

Modbus TCP uses the same exception codes as Modbus RTU. When a server cannot process a request, it returns an exception response where the function code has its high bit set (original code + 0x80), followed by an exception code byte.

Error Response Example Over TCP

The client tries to read from a register address that does not exist. The server responds with exception code 0x02 (Illegal Data Address).

Request (Client to Server)

00 03 00 00 00 06 01 03 FF 00 00 01

Transaction ID 3, Unit ID 1, Read Holding Register at address 0xFF00 (invalid)

Error Response (Server to Client)

00 03 00 00 00 03 01 83 02

MBAP Header:

00 03 = Transaction ID 3 (matches)00 00 = Protocol ID00 03 = 3 bytes follow01 = Unit ID 1

Error PDU:

83 = Error flag (0x80 + 0x03)02 = Illegal Data Address

Complete Exception Code Reference

These exception codes are shared across all Modbus variants (RTU, TCP, and ASCII). They are defined in the Modbus Application Protocol specification.

Code	Name	Meaning
`0x01`	Illegal Function	The function code is not supported by the server device.
`0x02`	Illegal Data Address	The register or coil address does not exist or the requested range extends beyond available addresses.
`0x03`	Illegal Data Value	The value in the request data field is not acceptable, such as an out-of-range value or invalid register quantity.
`0x04`	Server Device Failure	An unrecoverable error occurred while processing the request. General-purpose error for internal device faults.
`0x05`	Acknowledge	The server accepted the request but needs more time to process it. The client should poll later.
`0x06`	Server Device Busy	The server is processing a long-duration command. The client should retry later.
`0x08`	Memory Parity Error	The server detected a parity error in its internal memory, indicating a hardware fault.
`0x0A`	Gateway Path Unavailable	The TCP gateway could not establish a path to the downstream RTU device.
`0x0B`	Gateway Target Failed to Respond	The downstream RTU device did not respond to the gateway within the configured timeout. Common when a serial device is offline.

With Modbus TCP, the client may also encounter TCP-level errors (connection refused, connection reset, timeout) if the server is unreachable on the network. These are separate from Modbus exception codes and indicate a network issue rather than an application-level error.

Modbus TCP vs Modbus RTU: Key Differences

Feature	Modbus RTU	Modbus TCP
Physical Layer	RS-485/RS-232	Ethernet
Speed	Up to 115.2 kbps	10/100/1000 Mbps
Addressing	1-247 slave addresses	IP addresses
Error Checking	CRC-16	TCP checksum
Network Topology	Bus	Star/switched
Connections	1 master only	Multiple simultaneous clients
Maximum Distance	1200m (RS-485)	Unlimited (routable over IP)

Key Features of Modbus TCP

Standard Ethernet hardware: no special interface cards or serial converters needed.
Multiple simultaneous connections: several clients can communicate with the same server concurrently.
Routable across networks: works over VPNs, across subnets, and through firewalls with standard IP routing.
Same function codes as RTU: migrating from serial to Ethernet requires minimal application changes.
No special hardware needed: any device with a standard network interface card can participate.
Transaction IDs: allow asynchronous operations by matching responses to their original requests.

Common Use Cases for Modbus TCP

Factory floor Ethernet integration: connecting PLCs, HMIs, and sensors over industrial Ethernet networks.
Remote monitoring over VPN: accessing field devices from control centers across wide-area networks.
SCADA systems with Ethernet backbone: modern SCADA architectures using switched Ethernet infrastructure.
Building management systems: BMS platforms integrating HVAC, lighting, and energy metering.
IoT gateways: bridging legacy Modbus RTU devices to IP-based monitoring and cloud platforms.

Frequently Asked Questions About Modbus TCP

Can Modbus TCP and Modbus RTU coexist on the same network?

Yes. Modbus TCP-to-RTU gateways bridge between Ethernet and serial networks, allowing TCP clients to communicate with RTU slave devices. The gateway translates between MBAP headers and RTU framing, using the Unit ID field to address the downstream serial device.

Is Modbus TCP secure?

Modbus TCP has no built-in security mechanisms: no authentication, encryption, or access control. For secure deployments, use network-level protections such as VPNs, firewalls, and network segmentation. The Modbus Organization has published Modbus/TCP Security (TLS-based) as an extension, though adoption is still limited.

What is the Unit ID field used for in Modbus TCP?

The Unit ID field identifies a downstream Modbus RTU slave when a TCP server acts as a gateway to a serial bus. For standalone TCP devices that are not gateways, the Unit ID is typically set to 0xFF or 0x01 and can generally be ignored.

How is Modbus TCP different from Modbus TCP/IP?

They are the same thing, just different names for the same protocol. The official specification uses "Modbus TCP," but "Modbus TCP/IP" is commonly used in industry documentation to emphasize that it runs over the full TCP/IP stack.

What port does Modbus TCP use?

Modbus TCP uses TCP port 502, which is registered with IANA specifically for Modbus. Some implementations support configurable ports, but 502 is the standard and should be used unless there is a specific reason to change it.

Related Protocols

Modbus RTU: the original serial Modbus protocol for RS-485 and RS-232 networks.
HTTP: the foundational request-response protocol of the web.
HTTPS: HTTP with TLS encryption for secure web communication.