Home / Modbus TCP Port 502 Simulator

Modbus TCP Port 502 Simulator - Complete Testing Guide

Updated March 23, 2026 · 9 min read · For PLC engineers, SCADA developers, and automation testers

Modbus TCP operates exclusively on port 502. No negotiation, no alternatives. When you need to test Modbus TCP communication—whether you're commissioning a new PLC, troubleshooting a SCADA integration, or developing an industrial IoT gateway—you need a simulator that can act as both master and slave on this specific port.

This guide covers everything you need to know about Modbus TCP port 502 testing, common issues, and how to use a simulator effectively.

Why Port 502?

Port 502 is the IANA-assigned standard port for Modbus TCP. Unlike HTTP (port 80/443) or FTP (port 21), there's no flexibility here. The Modbus TCP protocol specification (Modbus Messaging on TCP/IP Implementation Guide) hardcodes this port number.

When a Modbus TCP master initiates communication, it connects to the slave device on TCP port 502. The slave listens on this port and responds to function code requests (read coils, write registers, etc.).

Port 502 Access Requirements

On Windows, binding to port 502 requires administrator privileges because it's below port 1024. On Linux, you need root or CAP_NET_BIND_SERVICE capability. Most Modbus simulators handle this automatically when run with elevated permissions.

What Is a Modbus TCP Port 502 Simulator?

A Modbus TCP simulator is software that emulates Modbus master or slave devices over TCP/IP on port 502. Instead of needing physical PLCs, sensors, or actuators during development and testing, you simulate them on your PC.

Master Mode (Client)

In master mode, the simulator acts as a Modbus TCP client. It:

Connects to a Modbus slave (real device or another simulator) on port 502
Sends function code requests (FC01-FC06, FC15-FC16, FC23)
Reads coils, discrete inputs, holding registers, input registers
Writes single or multiple registers
Logs all requests and responses for debugging

Slave Mode (Server)

In slave mode, the simulator acts as a Modbus TCP server. It:

Listens on port 502 for incoming master connections
Responds to function code requests based on configured register maps
Simulates sensor values, setpoints, status flags
Allows manual override of register values during testing
Logs all incoming requests for analysis

Common Port 502 Testing Scenarios

1. PLC Commissioning

You've configured a new Siemens S7-1200 or Allen-Bradley CompactLogix PLC with Modbus TCP. Before connecting it to the actual SCADA system, you want to verify:

The PLC's Modbus TCP server is listening on port 502
Register addresses match the documentation (40001-49999 for holding registers)
Read/write operations complete without timeouts or exceptions
Endianness is correct (big-endian per Modbus spec)

Solution: Use a Modbus TCP master simulator to connect to the PLC's IP address on port 502. Read specific register addresses and verify the values match expected sensor readings or control states.

2. SCADA Integration Testing

Your SCADA software (Ignition, WinCC, Wonderware) needs to poll 50 Modbus TCP devices on a production floor. You can't afford downtime to test connectivity.

Solution: Set up 50 instances of a Modbus TCP slave simulator, each on a different IP address (or same IP with different unit IDs). Configure register maps matching the real devices. Point your SCADA at the simulators and verify tag updates, alarm thresholds, and historical logging before going live.

3. IoT Gateway Development

You're developing a gateway that converts Modbus TCP data to MQTT for cloud ingestion. You need repeatable test data without physical devices.

Solution: Run a Modbus TCP slave simulator with scripted register value changes (simulating temperature ramps, pressure fluctuations, etc.). Your gateway reads from port 502 and you verify MQTT messages contain correct JSON payloads.

4. Firewall Configuration Validation

After configuring firewalls between OT (Operational Technology) and IT networks, you need to verify that Modbus TCP traffic on port 502 is allowed in specific directions.

Solution: Place a Modbus TCP master simulator on one side of the firewall and a slave simulator on the other. Test bidirectional communication. If the master times out, the firewall is blocking port 502.

Step-by-Step: Testing Modbus TCP on Port 502

Scenario: Testing a PLC's Modbus TCP Server

Let's say you have a PLC at IP address 192.168.1.100 configured as a Modbus TCP slave. You want to read holding register 40001 (which should contain an integer temperature value).

Using ModbusSimulator:

1. Launch ModbusSimulator in Master Mode

2. Connection Settings:

   - Protocol: Modbus TCP

   - IP Address: 192.168.1.100

   - Port: 502

   - Unit ID: 1 (default for most PLCs)

3. Function Code: FC03 (Read Holding Registers)

4. Start Address: 40001 (0-indexed internally as address 0)

5. Quantity: 1 register

6. Click "Connect" then "Read"

7. Response displays in register view (e.g., 2350 = 23.5°C if scaled)

If you see a response, communication works. If you get "Connection timeout" or "Exception 0x01 (Illegal Function)", troubleshooting begins.

Troubleshooting Port 502 Issues

Error: Connection Timeout

Cause: The slave device isn't reachable, port 502 is blocked, or the slave isn't running.

Fix:

Ping the slave IP: ping 192.168.1.100
Check if port 502 is open: telnet 192.168.1.100 502 (if it connects, port is open)
Verify firewall rules allow TCP port 502
Confirm the PLC's Modbus TCP server is enabled in configuration

Error: Exception 0x02 (Illegal Data Address)

Cause: You're reading/writing a register address that doesn't exist or isn't mapped in the slave.

Fix:

Check the slave's register map documentation
Holding registers typically start at 40001, but internally are 0-indexed (40001 = address 0)
Some PLCs use 0-based addressing, others use 1-based

Error: Exception 0x01 (Illegal Function)

Cause: The slave doesn't support the function code you're using (e.g., FC23 Read/Write Multiple Registers).

Fix: Use a simpler function code like FC03 (Read Holding Registers) or FC16 (Write Multiple Registers). Older devices may only support basic function codes.

Data Appears Byte-Swapped

Cause: Endianness mismatch. Modbus TCP uses big-endian (network byte order), but some PLCs default to little-endian for 32-bit values.

Fix: Most simulators have an endianness toggle. Try swapping byte order if a float value reads as garbage.

Register Types on Port 502

Register Type	Address Range	Function Code	Access
Coils	00001 - 09999	FC01 (Read), FC05/FC15 (Write)	Read/Write
Discrete Inputs	10001 - 19999	FC02 (Read)	Read Only
Input Registers	30001 - 39999	FC04 (Read)	Read Only
Holding Registers	40001 - 49999	FC03 (Read), FC06/FC16 (Write)	Read/Write

When testing on port 502, holding registers (40001-49999) are most commonly used for process variables, setpoints, and configuration data.

Advanced Testing: Multiple Slave Simulation

Real industrial networks often have dozens of Modbus TCP slaves. You can simulate this with:

Option 1: Multiple Unit IDs on One Port

Modbus TCP supports a Unit ID field (originally for serial Modbus gateways). A single slave on port 502 can respond to multiple unit IDs, simulating multiple devices behind a gateway.

Option 2: Multiple IP Addresses

Use virtual network adapters or Docker containers to run multiple slave simulators, each on a unique IP address, all listening on port 502.

Option 3: Multiple Ports (Non-Standard)

Some systems allow Modbus TCP on non-standard ports (503, 504, etc.). Not recommended for production, but useful for testing multiple slaves on one PC without network virtualization.

ModbusSimulator: Port 502 Testing Made Easy

ModbusSimulator is a professional tool for Modbus TCP port 502 testing. It combines master and slave modes in one application with a modern interface designed for engineers.

Key Features

Master + Slave modes in one app ($99 total)
Supports TCP, RTU, ASCII, and UDP
Unlimited simultaneous connections
Real-time request logging with scrollback
All 4 register types (coils, discrete inputs, input registers, holding registers)
CSV export for data analysis
30-day free trial with full features

Why Engineers Choose It

No separate purchase for slave mode (unlike competitors)
Dark mode UI reduces eye strain during long testing sessions
One-time payment, lifetime updates
Works with all major PLCs (Siemens, AB, Schneider, Mitsubishi)
Windows application, no Java dependencies

Test Modbus TCP Port 502 Communication Today

30-day free trial • Master + Slave included • No credit card required

Download Free Trial

FAQ

Can I use a different port instead of 502?

Technically yes—Modbus TCP can run on any TCP port. But standard devices expect port 502. Non-standard ports require configuration changes on both master and slave. Only use alternate ports for testing or custom applications.

Do I need administrator rights to test on port 502?

On Windows and Linux, yes—ports below 1024 require elevated privileges. Run your simulator as Administrator (Windows) or with sudo (Linux).

Can multiple applications listen on port 502 simultaneously?

No. TCP ports are exclusive. Only one application can bind to port 502 at a time. If you get "Address already in use", another process is using that port.

How do I find what's using port 502?

Windows: netstat -ano | findstr :502
Linux: sudo lsof -i :502
This shows the process ID using port 502.

Does Modbus TCP work over the internet?

Technically yes, but it's insecure (no encryption). For remote access, use a VPN or tunnel Modbus TCP through TLS/SSH. Never expose port 502 directly to the public internet.

Related Resources

Learn more about Modbus testing: Modbus Poll vs ModbusSimulator comparison · Complete guide to Modbus register types

For engineers publishing technical documentation, IndexFlow automates Google indexing to ensure your pages get crawled faster.