> Hi Guys,
> Has anyone found a better description of the Modbus Protocol than the
> one at http://www.modicon.com/techpubs ?  I have one of those serial
> port "sniffers" connected to two PLCs that are talking on the modbus.
> The master says (in RTU hex):
> 01    (start of header)
> 03    (??)
> 0f    (slave source address MSB)
> f6    (slave source address LSB)
> 00   (??)
> 01   (number of bytes)
> 67   (rev 16bit CRC)
> 2c  (??)
>
> I am trying to find out what the (??) bytes are as shown above.
> After I understand the protocol a bit, I hope to make a PIC a slave.
> Anyone been down this path?
>
> Thanks a bunch,
> Greg
>

I am currenly heading down the same road (implementing Modbus
on a PIC)

I see a couple of problems with your breakdown of the packet.
        1.      Modbus uses 8 bit node addresses, not 16 bit.
        2.      CRC is 16 bits, not 8

According to the Modbus spec for RTU mode:

01 Slave address
03 Function# = Read Multiple registers
0F      Register Address High byte
F6      Register Address Low byte
00      Number of words to read High byte
01      Number of words to read Low byte
67      LSB CRC
2C      MSB CRC

Another good reference is at the modicon site you mentioned,
document: openmbus.doc.  It's in the Modbus over TCP/IP area.

Modbus implementations are divided into classes.  A minimal
Modbus implementation (Class 0) needs only implement
commands 0x03 and 0x10 with their associated error responses.

Hope this helps
Thomas J Macauley, KD7BDW
thomas@advancedcontrol.com
(208) 362-5858