04 S7 Comm
aka —
| Name | S7 Communication Protocol |
|---|---|
| ISO | — |
| RFC | — |
This is the actual protocol that Siemens created for S7 PLC communication.
Packet Structure
The structure of the packets is identical for all message and function types. The data part is optional, though.
| S7 Comm | S7 Header | S7 Params | S7 Data | |||
|---|---|---|---|---|---|---|
| ISO TP | Hdr | S7PDU | ||||
| ISO on TCP | Hdr | TPDU | ||||
S7 Header
The structure of the header is identical for all message types and function codes.
| Byte | Value | Description |
|---|---|---|
| Fixed Part | ||
| [0] | 0x32 | Protocol ID |
| [1] | Message Type | |
| [2-3] | 0x00 00 | Reserved |
| [4-5] | PDU Reference (user defineable) | |
| [6-7] | Parameter Length | |
| [8-9] | Data Length | |
The S7 communication protocol defines different types of messages. For setting up the connection and for sending read or write requests, the Message Type is 0x01 (JOB or request). The reply messages will be of type ACK 0x02 or ACK_DATA 0x03.
S7 Params
The Function Code field encodes operations such as communication setup, system info, data read/write, block move, and PLC control functions. The most relevant functions are
0xF0: Setup Communication0x04: Read Variable0x05: Write Variable
The actual structure of the parameters depends on the Function Code.