Modbus TCP explained: a guide for installers (2026)
Modbus TCP explained for installers: the MBAP header, port 502, wiring, the difference from RTU, and what the 2026 EPBD obligation means.
Modbus TCP brings the old Modbus protocol onto the Ethernet network, and in 2026 it is the standard the moment an installation has a switch, a PLC or a building management system. Yet most installers stumble on the same three points: the MBAP header, port 502, and how to get existing RS485 devices onto a TCP network. This guide sorts those three out.
You will learn how a Modbus TCP frame is built, why it no longer carries a CRC, how to lay out the Ethernet layer in practice, and when to pick TCP over RTU. By the end you will also know why you never put port 502 straight on the internet, and what the tightened EPBD obligation from 1 January 2026 means for your projects. Written for installers, not for software developers.
Key takeaways
- Modbus TCP wraps the same function codes as Modbus RTU inside a TCP/IP packet with a 7-byte MBAP header, and runs on port 502 by default.
- The CRC disappears: TCP/IP handles error detection itself, so a Modbus TCP frame ends right after the data.
- From 1 January 2026 the EPBD recast (EU 2024/1275) lowers the threshold for mandatory building automation from 290 kW to 70 kW, and Modbus TCP is often the underlying transport.
What is Modbus TCP exactly?
Modbus TCP is the variant of the Modbus protocol that carries messages inside a TCP/IP packet over Ethernet instead of over a serial RS485 line. The application layer is identical to Modbus RTU: the same function codes, the same register types. Only the transport differs. Schneider Electric, owner of the original Modicon, added Modbus TCP to the Modbus family in the late 1990s.
You recognise such an installation by an RJ45 socket instead of an A/B/GND terminal block, and by an IP address per device. According to the MODBUS Messaging on TCP/IP Implementation Guide V1.0b, maintained by the Modbus Organization, the protocol uses one fixed TCP port, port 502, assigned by IANA. Modbus has also been part of the international fieldbus standard IEC 61158 since 2007.
In 2026 Modbus RTU still sits inside virtually every heat pump, energy meter and refrigeration controller at the device level, while TCP is the standard at the PLC, switch and building management layer. For the basics of the protocol itself, read our complete Modbus guide first. To compare the sibling, see Modbus RTU explained.
How a Modbus TCP frame is structured
A Modbus TCP frame is officially called an ADU (Application Data Unit) and has two parts: a 7-byte MBAP header and, behind it, the PDU, the actual function code plus data. The MBAP header is the only thing a TCP frame adds to what RTU already sends.
No CRC: TCP/IP provides error detection through the TCP checksum.
The four MBAP header fields
The MBAP header has four fields. The Transaction Identifier (2 bytes) lets the master keep several outstanding requests on one connection; the response carries the same number back. The Protocol Identifier (2 bytes) is always 0 for Modbus. The Length field (2 bytes) states how many bytes follow. The Unit Identifier (1 byte) addresses the device and matters most when routing through a gateway to a serial sub-network.
The biggest difference from RTU is what is missing: there is no CRC. With Modbus RTU every frame ends in a CRC-16 checksum, because the serial line has no error detection of its own. Over TCP the transport layer handles integrity through its own checksum, so the frame ends right after the data.
Port 502 and the Ethernet layer in practice
Modbus TCP runs over a standard Ethernet network, so you work with RJ45 connectors, Cat 5e or Cat 6 cable and a switch instead of a daisy chain. Each device gets its own IP address and listens as a server on port 502; the master, often a PLC or a gateway, opens a TCP connection to that IP address and port.
Three things decide whether a Modbus TCP bus runs reliably. First, the IP configuration: give each device a fixed IP address in the same subnet, because expiring DHCP leases break the polling. Second, the topology: Modbus TCP is a star layout through a switch, not the bus line you know from RS485, so a faulty branch does not take down the whole network at once. Third, cable quality: keep Ethernet runs under 100 m per segment, in line with the structured-cabling rules aligned with IEC 60364-5-52 for separating signal and power cables.
Port 502 is the default, but some manufacturers let you set a different port. Always check that in the datasheet before you set up the connection, because a wrong port produces exactly the same error as a device that does not respond.
Modbus TCP vs Modbus RTU, when to pick which
Modbus TCP and RTU speak the same language at the application layer, so the choice is about transport, not registers. The table below sets out the practical differences.
| Property | Modbus RTU | Modbus TCP |
|---|---|---|
| Transport | RS485 or RS232 (serial) | TCP/IP over Ethernet |
| Error checking | CRC-16 in the frame | TCP checksum, no CRC |
| Topology | daisy chain (bus line) | star through a switch |
| Addressing | slave address 1 to 247 | IP address plus Unit ID |
| Port | not applicable | 502 (IANA) |
| Number of masters | one master per bus | several clients at once |
| Speed | up to about 115,200 baud | Ethernet, 100 Mbit or more |
Pick Modbus RTU when you connect individual field devices over a short distance: a few energy meters in a cabinet, a heat pump with a serial port, a refrigeration controller. RTU needs no network infrastructure and is cheaper per device.
Pick Modbus TCP when an Ethernet network is already in place, when several systems need to read the same data at once, or when the distance is greater than a single RS485 segment can handle. A PLC, a SCADA system and a cloud platform can each open their own TCP connection at the same time, which an RTU bus with a single master cannot do.
From RTU to TCP through a gateway
Most field devices only offer Modbus RTU, while the higher level expects Modbus TCP. A Modbus gateway bridges that gap: the gateway polls the RS485 bus as master and exposes those same devices as TCP servers on port 502.
Unit ID routing in practice
This is where the Unit ID field from the MBAP header comes back. The gateway uses the Unit ID to decide which RTU device behind the bus should answer the request. A TCP client opens a connection to the gateway's IP address and puts the slave address of the target device in the Unit ID. On devices with their own TCP stack the Unit ID is often 1 or 255 and is ignored.
To work out which gateway type suits your installation, compare the options in our Modbus gateway buyer guide. The wiring on the RS485 side stays exactly the same as on a pure RTU installation.
Security: why you never put port 502 straight on the internet
Modbus TCP has no built-in authentication and no encryption. Anyone who can reach port 502 can read and write registers without a password. That makes network segmentation not a luxury but a baseline requirement, especially now that Modbus devices hang off the internet through gateways.
Modbus TCP Security on port 802
For cases where Modbus still has to run encrypted across a network, the Modbus Organization has published the Modbus/TCP Security specification since 2018. It adds TLS and X.509v3 certificates and runs on port 802, separate from the unsecured 502. In practice a gateway that sends the data over an encrypted, outbound connection to a platform solves the same problem without you opening any inbound ports. The wider framework for this is the OT security standard IEC 62443.
Modbus TCP and the 2026 EPBD obligation
From 1 January 2026 the EPBD recast (EU 2024/1275), Article 14, lowers the threshold for mandatory building automation and control systems in non-residential buildings from 290 kW to 70 kW of effective heating or cooling output. A large group of mid-size buildings now falls under the obligation: offices around 1,000 m2, secondary schools, smaller care facilities.
For an installer this means practically every new installation above 70 kW must deliver a digital data point to a higher-level system, and it is often the transport. The standard ISO 52120-1, which the EPBD references, requires continuous data acquisition per technical installation for Class B. A chain with a gateway that polls the Modbus bus and forwards the data to a monitoring platform meets that.
In practice you build that chain with a ModbusCloud Gateway that reads the Modbus bus and forwards every data point securely to a central dashboard. The same goes for energy meters, where our comparison of Modbus energy meters shows which models speak TCP natively and which need a gateway.
What is Modbus TCP?
Modbus TCP is the variant of Modbus that carries messages over a TCP/IP network instead of a serial RS485 line. It uses the same function codes as Modbus RTU, wrapped in a 7-byte MBAP header, and runs on port 502 by default.
Is Modbus TCP the same as Ethernet?
No. Ethernet is the physical network layer (the cable and the switch), while Modbus TCP is the application protocol that runs over it. Modbus TCP uses Ethernet as transport, the way a web page uses HTTP over Ethernet.
Is Modbus TCP the same as RS485?
No. RS485 is the serial physical layer that Modbus RTU uses, with A/B/GND wires. Modbus TCP runs over Ethernet with RJ45 and IP addresses. The function codes and registers are identical; only the transport differs.
What port does Modbus TCP use?
Modbus TCP uses TCP port 502 by default, assigned by IANA. Some devices allow a different port. The encrypted variant, Modbus/TCP Security, runs on port 802 with TLS and certificates.
Does Modbus TCP have a CRC?
No. Modbus RTU ends every frame with a CRC-16, but Modbus TCP does not. The TCP layer handles error detection through the TCP checksum, so the frame ends right after the data.
How many devices can a Modbus TCP network handle?
Modbus TCP has no hard limit like the 32 loads of an RS485 segment. The number is bounded by the switch, the subnet, and the maximum number of simultaneous TCP connections each device supports, often between 1 and 16 per server.
Can I connect an RTU device to a Modbus TCP network?
Yes, through a Modbus gateway. The gateway polls the RTU device over RS485 and exposes it as a TCP server on port 502. The Unit ID in the MBAP header decides which slave address behind the gateway answers.
Ready to set up monitoring that meets the 2026 EPBD obligation? A ModbusCloud Gateway reads both Modbus RTU and Modbus TCP and forwards every data point securely to a central dashboard, without you having to open port 502.
Ready to get started?
Order the ModbusCloud Gateway and start monitoring your installations within 5 minutes.
View the gateway