Per Stenebo
2013-03-08 21:51:24
2017-12-30 13:37:57
Modbus frame format
How to build a Application Data Unit (ADU) for Modbus communication.
FC is short for Function Code.
Modbus-TCP request frame for FC 4
Length: 12 bytes, each byte represented by two -
as placeholders:
-- -- -- -- -- -- -- -- -- -- -- --
Example Modbus-TCP request, as space-separated hexadecimal numbers (without prefixing 0x), where each character pair represent one byte:
00 00 00 00 00 06 01 04 00 1C 00 01
The very same request, but written as a raw binary string of bytes (in python):
\x00\x00\x00\x00\x00\x06\x01\x04\x00\x1C\x00\x01
Byte 0-1
Transaction Identifier, for synchronization between messages of server & client.
00 00 -- -- -- -- -- -- -- -- -- --
Byte 2-3
Protocol Identifier, zero for Modbus-TCP.
-- -- 00 00 -- -- -- -- -- -- -- --
Byte 4-5
Number of remaining bytes in this frame.
-- -- -- -- 00 06 -- -- -- -- -- --
Byte 6
Unit Identifier. Server address, 0xFF (255) if not used.
-- -- -- -- -- -- 01 -- -- -- -- --
Byte 7
Function code.
-- -- -- -- -- -- -- 04 -- -- -- --
Byte 8-9
Start register reference.
-- -- -- -- -- -- -- -- 00 1C -- --
Byte 10-11
Requested number of registers. For FC 6 this is the data to write:
-- -- -- -- -- -- -- -- -- -- 00 01
Modbus-TCP response frame for FC 4
Length at least 10 bytes (with one 8-bit register = one data byte).
Length 11 bytes with one 16-bit register = two data bytes.
Example of Modbus-TCP response to request above, as hex:
00 01 00 00 00 05 01 04 02 00 09
Byte 0-1
Transaction Identifier. For synchronization between messages of server & client.
00 01 -- -- -- -- -- -- -- -- --
Byte 2-3
Protocol Identifier. Zero for Modbus-TCP.
-- -- 00 00 -- -- -- -- -- -- --
Byte 4-5
Length Field. Number of remaining bytes in this frame. Minimum 00 05 (one 16 bit register = two data byte).
-- -- -- -- 00 05 -- -- -- -- --
In a error response this field should be 00 03.
Byte 6
Unit Identifier / server address. FF (255) if not used.
-- -- -- -- -- -- 01 -- -- -- --
Byte 7
Function code. Function codes as in other variants.
-- -- -- -- -- -- -- 04 -- -- --
Add 0x80 (0x80 = 128) to the function code in a error frame (03 + 80 = 83)
Byte 8
Number of data bytes.
-- -- -- -- -- -- -- -- 02 -- --
Replaced with exception code, one byte between 0x00 and 0x0A, in a error response.
Byte 9-n
Data bytes.
-- -- -- -- -- -- -- -- -- 00 09
Not included in a error response.
Modbus-RTU request frame
8 bytes in length.
-- -- -- -- -- -- -- --
01 04 00 1C 00 01 F0 0C
Byte 0
Slave address or unit id:
01 -- -- -- -- -- -- --
Byte 1
Function code:
-- 04 -- -- -- -- -- --
Byte 2-3
Start register reference:
-- -- 00 1C -- -- -- --
Byte 4-5
Requested number of registers. For FC 6 this is the data to write:
-- -- -- -- 00 01 -- --
Byte 6-7
CRC checksum of the previous bytes:
-- -- -- -- -- -- F0 0C
Modbus-RTU correct response frame
Minimum length 6 bytes (with one 8-bit register = one byte).
Length 7 bytes with one 16-bit register = two bytes.
Byte 0
Address or unit id:
00 -- -- -- -- -- --
Byte 1
Function code:
-- 03 -- -- -- -- --
Byte 2
Quantity of requested data bytes, n:
-- -- 02 -- -- -- --
Byte 3-n
Data bytes:
-- -- -- 00 09 -- --
Byte (n+3) - (n+4)
Earliest in byte 4-5. CRC checksum of the previous bytes:
-- -- -- -- -- 79 36
Modbus-RTU error response frame
5 bytes in length.
-- -- -- -- --
02 89 01 76 50
Byte 0
Slave address or unit id:
02 -- -- -- -- --
Byte 1
Error code: Requested function code + 0x80 (0x80 = 128):
-- 89 -- -- -- --
Byte 2
Exception code:
-- -- 01 -- -- --
Byte 3-4
CRC checksum of the previous bytes:
-- -- -- 76 50