Modbus TCP — MBAP byte exchange over Ethernet
Modbus TCP wraps the 1979 Modbus PDU inside a 7-byte MBAP header (transaction ID, protocol ID, length, unit ID) and ships it over TCP/IP. The distinctive trait you'll see below: the MBAP header chip is visibly larger than the payload byte chip — that's the protocol overhead, made visible.
Animation
Compare with
- Modbus RTU — same Modbus PDU, but RS-485 serial instead of TCP. Compare overhead (5 B vs 7 B) and tempo (medium serial vs fast Ethernet).
Engineering pitfalls
Transaction ID reuse → response correlation failure
The MBAP transaction ID is 16-bit. Reusing IDs within an outstanding-request window means your client may correlate a stale response to a fresh request. Increment monotonically; never wrap until 65,535 is consumed.
TCP port 502 firewall blocking
Default port is 502. Many enterprise firewalls block it as "unknown industrial" — you'll see TCP SYN go out, no SYN-ACK come back. Verify firewall rules before debugging the Modbus stack.
Keepalive vs poll interval mismatch
If your poll interval exceeds the TCP keepalive timeout, the connection silently dies. The next poll gets `ECONNRESET`. Set poll interval < keepalive (default Linux 2 hours; lower it to 60 seconds for production Modbus TCP).
Unit ID 0 vs 255 — gateway routing
Unit ID is the legacy slave-address-equivalent. Modbus TCP gateways use it to route to downstream serial slaves. ID 0 is broadcast (rarely supported); ID 255 means "this device itself"; IDs 1–247 route to a serial bus behind the gateway.
References
Primary sources
- Modbus Organization, MODBUS Messaging on TCP/IP Implementation Guide V1.0b (2006).
- IETF RFC 793, Transmission Control Protocol.
- IANA port assignment: 502/tcp = mbap.
- CompTIA Network+ N10-009 Exam Objectives §2.1.