Modbus TCP is a variant of the Modbus family that uses TCP/IP as its transport mechanism, enabling master-slave communication between industrial electronic devices over standard Ethernet networks. It encapsulates a standard Modbus frame—consisting of a Modbus Application Protocol (MBAP) header and a Protocol Data Unit (PDU)—directly into a TCP segment for transmission.
Glossary
Modbus TCP

What is Modbus TCP?
Modbus TCP is the Ethernet-based implementation of the widely adopted Modbus protocol, encapsulating serial communication frames within TCP/IP packets for industrial automation.
Unlike serial Modbus variants, Modbus TCP eliminates the need for traditional checksums by relying on the underlying TCP stack for error detection, and it introduces a Unit Identifier to address devices behind a gateway. This protocol is foundational to Operational Technology (OT) environments, facilitating data acquisition from Programmable Logic Controllers (PLCs) and remote terminal units within modern SCADA architectures.
Key Features of Modbus TCP
Modbus TCP adapts the legacy serial protocol for modern Ethernet networks, combining simplicity with TCP/IP reliability for industrial automation.
TCP/IP Encapsulation
Modbus TCP encapsulates the standard Modbus Protocol Data Unit (PDU) within a TCP/IP frame, replacing the serial checksum with the TCP stack's built-in error detection. The standard Modbus Application Protocol (MBAP) header adds a Transaction Identifier and Unit Identifier to route messages across Ethernet networks. Communication occurs over port 502, the IANA-assigned standard port for Modbus TCP traffic.
Client-Server Model
Unlike the master-slave terminology of serial Modbus, Modbus TCP operates on a client-server architecture. The client initiates requests, and the server processes them and returns responses. A single client can communicate with multiple servers simultaneously, and multiple clients can access the same server. This model supports concurrent transactions through unique transaction identifiers, enabling parallel data exchange across the network.
Function Code Operations
Modbus TCP retains the standard function codes for data access and control. Key operations include:
- Read Coils (FC 01): Read discrete outputs
- Read Holding Registers (FC 03): Read 16-bit analog values
- Write Single Register (FC 06): Write to a single holding register
- Write Multiple Registers (FC 16): Write a block of registers These function codes are inspected by deep packet inspection systems for anomaly detection.
Connectionless Communication
Modbus TCP is fundamentally connectionless at the application layer. Each request-response pair is independent, with no session state maintained between transactions. The TCP layer handles reliable delivery, but the Modbus protocol itself does not require persistent connections. This design simplifies implementation but requires stateful whitelisting in security architectures to validate the logical sequence of commands against the industrial process state.
Data Model Addressing
The Modbus data model defines four primary data tables accessible via function codes:
- Discrete Inputs: Read-only single-bit values from field devices
- Coils: Read-write single-bit outputs
- Input Registers: Read-only 16-bit analog measurements
- Holding Registers: Read-write 16-bit configuration and control values Each table supports up to 65,536 addresses, providing extensive data mapping for complex industrial systems.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the Modbus TCP protocol, its security implications, and its role in modern industrial control systems.
Modbus TCP is a variant of the Modbus serial communication protocol that uses TCP/IP as its transport layer to facilitate master-slave communication between industrial electronic devices over Ethernet networks. It works by encapsulating a standard Modbus Protocol Data Unit (PDU) within a TCP/IP packet, adding a 7-byte Modbus Application Protocol (MBAP) header that includes a transaction identifier, protocol identifier, length field, and unit identifier. The master (client) initiates a request, and the slave (server) responds. The default TCP port is 502. Unlike Modbus RTU, Modbus TCP does not use a CRC checksum, relying instead on the TCP/IP stack's error detection. This allows for high-speed, routable communication across standard IT infrastructure, making it the dominant protocol for integrating PLCs, HMIs, and SCADA systems in modern automation.
Modbus TCP vs. Other Industrial Protocols
A technical comparison of Modbus TCP against DNP3, OPC UA, and IEC 61850 across key operational and security dimensions relevant to SCADA anomaly detection.
| Feature | Modbus TCP | DNP3 | OPC UA | IEC 61850 |
|---|---|---|---|---|
Transport Layer | TCP/IP over Ethernet | TCP/IP or Serial | TCP/IP, HTTPS, or SOAP | Ethernet (Layer 2) or TCP/IP |
Communication Model | Master-Slave (Client-Server) | Master-Remote with Report-by-Exception | Client-Server with Pub/Sub | Client-Server with GOOSE Peer-to-Peer |
Built-in Authentication | ||||
Built-in Encryption | ||||
Time Synchronization | ||||
Data Modeling | Flat Register Map (Coils, Holding Registers) | Flat Point Index with Data Types | Object-Oriented with Semantic Modeling | Abstract Logical Nodes and Objects |
Typical Latency | < 10 ms | < 100 ms (polled) | < 50 ms | < 4 ms (GOOSE) |
Primary Use Case | Simple monitoring and control in factories and buildings | Telemetry and control in electric and water utilities | Cross-platform industrial interoperability and IT/OT integration | High-speed protection and automation within substations |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding Modbus TCP requires familiarity with the industrial protocols, security frameworks, and monitoring techniques that surround it in modern SCADA and OT environments.
DNP3
Distributed Network Protocol 3 is a competing open standard to Modbus TCP, primarily used in North American electric and water utilities. Unlike Modbus TCP's simple master-slave model, DNP3 supports unsolicited reporting where remote devices can initiate communication, and includes time-stamped data for accurate sequence-of-events recording. It operates over TCP/IP but adds robust error checking and link-layer confirmation.
Function Code Inspection
This security technique analyzes the specific Modbus function code within a TCP packet payload to validate its legitimacy. Key codes include:
- FC 03 (Read Holding Registers): Reads current values
- FC 06 (Write Single Register): Overwrites a single data point
- FC 16 (Write Multiple Registers): Bulk write operation Deep inspection ensures a write command to a safety-critical coil is not spoofed by an attacker.
Protocol Whitelisting
A foundational OT security control that permits only pre-authorized Modbus TCP function codes and register ranges to traverse the network. Instead of blocking known bad signatures, it denies all traffic by default and allows only the specific read/write operations required for normal operations. This prevents an attacker from issuing a malicious FC 05 (Write Single Coil) command to trip a breaker.
Passive Monitoring
The non-intrusive method for observing Modbus TCP traffic by analyzing a copy of network packets via a SPAN port or Network TAP. This approach introduces zero latency to the deterministic control loop and cannot be detected by an attacker. A passive monitor reconstructs Modbus transactions to build a behavioral baseline of normal master-slave polling rhythms and register access patterns.
IEC 62443
The international standard series defining a comprehensive security framework for Industrial Automation and Control Systems (IACS). It addresses Modbus TCP security at multiple levels:
- IEC 62443-3-3: System security requirements, including network segmentation
- IEC 62443-4-2: Component-level requirements for devices like PLCs Compliance ensures that Modbus TCP endpoints have hardened authentication and resource management.
Stateful Whitelisting
An advanced enforcement mechanism that validates Modbus TCP commands against the current operational state of the industrial process. For example, a command to open a high-voltage breaker is only permitted if the system confirms the line is de-energized. This prevents logically valid but physically dangerous commands that simple protocol whitelisting would miss.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us