Coils, Registers and How the Protocol Actually Works
Modbus over TCP is one of the simplest industrial communication protocols still in heavy use today. It runs on Ethernet, uses TCP port 502, and follows a strict request response model.
No discovery. No encryption. Just structured memory access over a network.
Basic Concept
Modbus TCP is built around one simple idea:
A client reads or writes memory areas inside a server.
The client always initiates communication. The server only answers.
There is no publish mechanism. No event push. Everything is polling based.
Frame Structure
A Modbus TCP frame contains:
• Transaction Identifier
• Protocol Identifier
• Length
• Unit Identifier
• Function Code
• Data
Unlike serial Modbus, there is no CRC field because TCP already provides integrity checking.
The Four Data Areas
Modbus defines four logical memory types. They are logical tables, not necessarily real physical memory blocks.
1. Coils
Single bit values.
Read and write.
Typical use: digital outputs.
Examples:
• Motor start
• Relay energize
• Valve open
Each coil represents exactly one bit.
2. Discrete Inputs
Single bit values.
Read only.
Typical use: digital inputs.
Examples:
• Limit switch
• Feedback contact
• Sensor state
3. Holding Registers
16 bit values.
Read and write.
Typical use: configuration and control parameters.
Examples:
• Speed setpoint
• Pressure limit
• Operating mode
4. Input Registers
16 bit values.
Read only.
Typical use: measurement values.
Examples:
• Temperature
• Flow rate
• Voltage
Addressing Reality
Vendor documentation often says something like:
Register 40001
But Modbus TCP uses zero based addressing inside the protocol.
That means:
40001 in documentation often equals address 0 in the actual message.
This is one of the most common integration mistakes during commissioning.
Always check:
• Is documentation one based?
• Is driver zero based?
Never assume.
Function Codes
Communication happens via function codes.
Common ones:
01 Read Coils
02 Read Discrete Inputs
03 Read Holding Registers
04 Read Input Registers
05 Write Single Coil
06 Write Single Register
16 Write Multiple Registers
The function code defines what type of memory is accessed and how.
Data Width and Endianness
Registers are 16 bit.
But real world systems use:
• 32 bit integers
• Floating point values
• 64 bit counters
These span multiple registers.
Problems appear when:
• Word order differs
• Byte order differs
• Vendor swaps register order
If you read nonsense values, check endianness before assuming the device is broken.
Example: Pump Control
Imagine a simple pump controller.
Coil 0
Start command
Discrete Input 0
Running feedback
Holding Register 0
Speed setpoint
Input Register 0
Measured flow
The SCADA system:
- Writes coil to start pump
- Reads discrete input to verify state
- Writes speed
- Reads flow continuously
That is Modbus in practice. Repeated thousands of times per minute.
Systems like WinCC OA or Ignition typically poll these addresses cyclically.
Strengths
• Simple to implement
• Deterministic polling
• Lightweight
• Vendor independent
• Easy to debug with Wireshark
Weaknesses
• No authentication
• No encryption
• No built in integrity protection beyond TCP
• No information modeling
• No event driven design
If you expose Modbus TCP directly to the internet, you are inviting trouble.
In real installations, it belongs:
• Inside segmented OT networks
• Behind firewalls
• Behind VPN access
Where It Still Makes Sense
Modbus TCP works well when:
• You need basic data exchange
• Devices are simple
• Deterministic polling is acceptable
• You are integrating legacy equipment
It is not designed for:
• Complex data models
• Secure by design architectures
• Large distributed cloud systems