7
4.1.2 Protocol Data Unit
The Protocol Data Unit (PDU) is made up of between 2 and 256 bytes, depending on the function and
number of data addresses requested:
Function Code 1 byte
Function Code identifier.
Can be any of the hexadecimal codes listed in the Function Code table.
Data Payload
Payload for request/response transactions.
Varies depending on function code and number of addresses requested.
4.1.3 Modbus/TCP Function Codes
The Modbus/TCP Server feature supports the following function codes:
Name Description
Read Coils
Read up to 2000 consecutive 1-bit Coils within a single
request/response cycle.
0xxxx
Read up to 2000 consecutive 1-bit Discrete Inputs
within a single request/response cycle.
1xxxx
Read up to 125 consecutive 16-bit Holding Registers
within a single request/response cycle.
4xxxx
Read up to 125 consecutive 16-bit Input Registers
within a single request/response cycle.
3xxxx
Write Single Coil
Write a single 1-bit Coil within a single
request/response cycle.
0xxxx
Write Single
Holding Register
Write a single 16-bit Holding Register within a single
request/response cycle.
4xxxx
Write Multiple
Holding Registers
Write up to 125 consecutive 16-bit Holding Registers
within a single request/response cycle.
4xxxx
The consecutive address limitations of the Coils, Discrete Inputs, Holding Registers, and Input Registers
were established for the Modbus/TCP standard to maintain consistency with the original Modbus
protocol standard, even though a TCP/IP packet can contain a larger payload.
The Modbus/TCP feature allows for Function Codes 1 and 2 to be used interchangeably for read
requests. For example, a read coils (FC1) request for data addresses 00605 through 00610 will always
return the same result as a read discrete inputs (FC2) request for data addresses 10605 through 10610.
Likewise, the Modbus/TCP feature allows for Function Codes 3 and 4 to also be used interchangeably for
read requests. For example, a read holding registers (FC3) request for data addresses 40587 through
40590 will always return the same result as a read input registers (FC4) request for data addresses
30587 through 30590. All addresses accessible as a Coil or Discrete Input may also be accessed as a
Holding Register or Input Register.
Only the 4 least significant digits of the data address are explicitly stated in the Modbus message, with
the most significant (5
th
) digit being derived from the function code. However, generally the entire
5-digit data address must be specified in the Tag Database of an HMI.
To Next Page
