I am using Modscan64 to poll a service using TCP. I always receive this message:
** MODBUS Message TIME-OUT **
I connect to loopback 127.0.0.1.
I have tried with function 3 (holding register) and function 4 (input register), using length 2 and address 0001.
My service (coded in Python using twisted for TCP) receives the request, properly interprets the bytes, processes it and sends a response.
The response I send is received by MODSCAN as verified in the "Show Traffic" mode. The bytes in the response match what my service sent.
Is timeout really the issue?
How do I change the timeout? I see no settings for TCP Timeout. (googling explains how to set it for RTU only.)
If it is not really a timout, then what?
Here is a typical request / response:
01 00 00 00 00 06 01 04 00 00 00 02 04 04 42 ca 00 00
Request (12 bytes):
- First two bytes 01 00 are a counter that increments for each request.
- First seven bytes are the TCP header: 01 00 00 00 00 06 01
- The next five bytes are the MODBUS request: 04 00 00 00 02
- In the request, 04 is function code for read input register
- In the request, the next two bytes 00 00 are the address to read
- In the request, the final two bytes are 00 02 for the quantity of registers to read
Response (6 bytes):
- The MODBUS response is the last six bytes: 04 04 42 ca 00 00
- The response echoes the function 04 to mean not an error
- The response then has 04 for number of bytes to follow
- The response then has 42 ca 00 00 which is single precision for 101.0 (the simulated temperature value being tested)
Does MODSCAN expect a TCP envelope in the response?
Do I need to do something to indicate byte order?
There is a MODBUS spec and a MODBUS implementation guide. The first is less detailed and was what I was using. The second has more details, including crucial information:
MODBUS responses need to have an MBAP header, just like the requests.
See section 3.1.2 of: https://modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf