[This is Part#6 of the Energy Meter Series. You may access Part#1 here, Part#2 here, Part#3 here, Part#4 here and Part#5 here.]

Conventionally the Panel Meters communicate over Modbus RTU over TCP/IP protocol. Here we shall discuss the same with a very particular brief.

  1. Introduction

Modbus is one of the oldest, widely adopted and the most user-friendly communication protocols.  Modicon (now Schneider Electric) developed it in 1979, and thence it was accepted as an industry Standard for transfer of discrete / analogue I/O information and register data between industrial control and the monitoring device.

Modbus devices communicate using a master-slave (client-server) technique in which

  • only one device (the master/client) can start transactions (called queries)
  • the other devices (slaves/servers) respond by supplying the requested results to the master, or by taking the action requested in the query
  • e.g. in case of Energy Management System – a modem initiates transaction hence it acts as a Master or Client, and the Energy Meter or ADC or PLC acts as a Slave or Server
  • in many cases devices such as PLCs play both the roles – as a Master when it initiates the transaction (for control action) and as a Slave when it responds the transaction (for data sending perspective)
  • a query from Master has
    • Slave address
    • A function code defining request action
    • Any particular data required
    • Error checking field
  • A response from Slave has
    • Fields confirming the actions taken
    • Any data to be provided (as demanded by the Master)
    • Error checking field
      • In case of any error – Slave sends exception message as its response
      • in the case of no error, the response from Slave has data as a request
  • In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
  • The data is sent as series of ones and zeroes called bits. Each bit is sent as a voltage. “0”s are sent as positive voltages and “1”s as negative. The bits are sent very quickly. A typical transmission speed is 9600 baud (bits per second).
  • There are versions of the Modbus protocol exist for serial lines (Modbus RTU and Modbus ASCII) and for Ethernet (Modbus TCP).

Modbus is an application protocol. It defines what the data means.

2. Modbus RTU & Modbus ASCII

While troubleshooting problems, it’s helpful to see the original raw data being transmitted. Too many 1s and 0s contained in long strings are difficult to comprehend, so the bits are combined and shown in hexadecimal. Each block of 4 bits is represented by one of the sixteen characters from 0 to F. Each block of 8 bits (called a byte) is represented by one of the 256 character pairs from 00 to FF.

Information is stored in the Slave device in four different tables (Coil/Register Number, Data Address, Data Type & Table Name). Two tables store on/off discrete values and two tables to store numerical values. The coils and registers each have a read-only table and read-write table.

Each table has 9999 values. Each coil or contact is 1 bit and assigned a data address between 0000 and 270E. Each register is 1 word = 16 bits = 2 bytes and has data address between 0000 and270E.

Coil/Register Numbers Data Addresses Type Table Name
1-9999 0000 to 270E Read-Write Discrete Output Coils
10001-19999 0000 to 270E Read-Only Discrete Input Contacts
30001-39999 0000 to 270E Read-Only Analogue Input Registers
40001-49999 0000 to 270E Read-Write Analogue Output Holding Registers

Each slave in a network is assigned a unique unit address from 1 to 247. When the master requests data, the first byte it sends is the Slave address. This way each slave knows after the first byte whether or not to ignore the message. The second byte sent by the Master is the Function code. This number tells the slave which table to reach and whether to read from or write to the table.

Function Code Action Table Name
01 (01 hex) Read Discrete Output Coils
05 (05 hex) Write single Discrete Output Coil
15 (0F hex) Write multiple Discrete Output Coils
02 (02 hex) Read Discrete Input Contacts
04 (04 hex) Read Analogue Input Registers
03 (03 hex) Read Analogue Output Holding Registers
06 (06 hex) Write single Analogue Output Holding Register
16 (10 hex) Write multiple Analogue Output Holding Registers

 So what are the basic differences between Modbus RTU and Modbus ASCII?

  • Message Delimiting
    • In Modbus RTU, bytes are sent consecutively with no space between them with a 3-1/2 character space between messages for a delimiter.  This allows the software to know when a new message is starting. Any delay between bytes will cause Modbus RTU to interpret it as the start of a new message. This keeps Modbus RTU from working properly with modems.
    • Modbus ASCII marks the start of each message with a colon character ” : ” (hex 3A). The end of each message is terminated with the carriage return and line feed characters (hex 0D and 0A). This allows the space between bytes to be variable making it suitable for transmission through some modems.


  • Byte Size
    • In Modbus RTU each byte is sent as a string of 8 binary characters framed with a start bit, and a stop bit, making each byte 10 bits.
    • In Modbus ASCII, the number of data bits is reduced from 8 to 7. A parity bit is added before the stop bit which keeps the real byte size at 10 bits.


  • Data Range
    • In Modbus RTU, the range of data bytes can be any characters from 00to FF.
    • In Modbus ASCII, the range of data bytes represents only the 16 hexadecimal.


  • Error Checksum
    • Each Modbus RTU message is terminated with two error checking bytes called a CRC or Cyclic Redundancy Check.
    • Modbus ASCII is terminated with an error checking byte called a LRC or Longitudinal Redundancy Check.


3. Modbus TCP / IP

The Modbus messaging structure is the application protocol that defines the rules for organising and interpreting the data independent of the data transmission medium. The Modbus commands and user data are themselves encapsulated into the data container of a TCP/IP telegram without being modified in any way. TCP/IP is the foundation for the World Wide Web and forms the transport and network layer protocol of the internet that commonly links all Ethernet installations worldwide.

The primary function of TCP is to make sure that all packets of data are received correctly, while IP makes sure that messages are correctly addressed and routed.

TCP/IP combination is a transport protocol. It ensures proper data delivery.

The ModModbusP/IP uses TCP/IP and Ethernet to carry data of Modbus message structure between the compatible devices (Modem-Meter, Switch-Meter, Modem-PLC, Switch-PLC, etc.).

Modbus TCP embeds a standard Modbus data frame into a TCP frame, without the Modbus checksum, as shown in the following diagram:

Modbus Application Protocol (MBAP) Header Protocol Data Unit (PDU)
Transaction Identifier Protocol Identifier Length Field Unit ID Function Code Data
2 Byte 2 Byte 2 Byte 1 Byte 1 Byte Depend upon Data size

Modbus TCP/IP clients and servers listen and receive Modbus data via port 502.

Modbus TCP/IP can be understood in a better way by referring Open System Interconnect (OSI) Reference Model. It does not attempt to define an actual implementation, but rather it serves as a structural aid to understanding “what must be done” and “what goes where”.

Modbus Functions and Registers

The Modbus registers of a device are organised around the four basic data reference types noted above and this data type is further identified by the leading number of the reference address as follows:

Reference Description
0xxxx Read/Write Discrete Outputs or Coils.

A 0x reference address is used to drive output data to a digital output channel.

1xxxx Read Discrete Inputs.

The ON/OFF status of a 1x reference address is controlled by the corresponding digital input channel.

2xxxx Read Input Registers.

A 3x reference register has a 16-bit number received from an external source—e.g. an analogue signal.

3xxxx Read / Write Output or Holding Registers.

A 4x register is used to store 16-bits of numerical data (binary or decimal), or to send the data from the CPU to an output channel.

Under this functionalities it covers:

  • Read Coil Status
  • Read Holding Registers
  • Read Inputs Registers
  • Present Signal Register
  • Force Multiple Coils
  • Present Multiple Registers
  • Report Slave ID

Coding to read the Modbus TCP/IP is altogether a different world which can be explored in a different way, and in a much detailed way.


What is Modbus RTU over TCP/IP?

It is a Modbus RTU message transmitted with a TCP/IP wrapper and sent over a network instead of serial lines. The Server does not have a Slave ID since it uses an IP Address instead.

This article is intended to offer very basics of the Panel Meter communication protocol, and may not give enough information for firmware coding.