VOLTRUS Blog
← All Posts

May 14, 2026 · Guide

S7 Communication Protocol: A Practical Guide for Engineers

If you work with Siemens PLCs, the S7 communication protocol is how your software talks to S7-1200, S7-1500, S7-300, and S7-400 controllers. Unlike Modbus or OPC-UA, which are vendor-neutral standards, S7 is Siemens' proprietary protocol — but it is the most direct way to access PLC data without running TIA Portal or Step 7. Here is how it works, what memory areas you can access, and how to use it in practice.

What Is the S7 Protocol?

The S7 communication protocol (sometimes called S7comm or S7 Communication) is Siemens' application-layer protocol for exchanging data with S7-family PLCs over Ethernet. It runs on top of TCP/IP, typically on port 102. The protocol was originally developed for the S7-300 and S7-400 series and later extended for S7-1200 and S7-1500 controllers.

Unlike Modbus, which treats everything as registers, the S7 protocol understands Siemens' memory model natively. You address data by its memory area (DB, I, Q, M, T, C) and its exact byte offset — no register mapping needed. You read and write the same variables that a Step 7 program uses.

S7 Memory Areas

Siemens PLCs organize data into distinct memory areas, each identified by a prefix:

Data Blocks (DB)

Data blocks are the primary storage for user data in S7-1200 and S7-1500 PLCs. Each DB has a number (DB1, DB2, DB100, etc.) and contains structured data — arrays, structs, individual variables. A data block might hold recipe parameters, production counters, setpoints, or alarm configurations.

When reading a DB, you specify the DB number, the byte offset within the block, and the data type. For example, reading DB1.DBD0 (Data Block 1, Double Word at byte offset 0) returns a 32-bit value. The protocol returns raw bytes; your software interprets them as INT, DINT, REAL, BOOL, STRING, or any other S7 data type.

Marker Memory (M)

Marker memory (also called Merker or flag memory) is a global internal memory area shared across all program blocks. Engineers use markers for inter-block communication, status flags, and temporary storage in PLC programs. M0.0 through M0.7 give you 8 boolean flags in the first byte. MB0 is byte 0, MW0 is word 0, MD0 is double word 0.

Inputs (I) and Outputs (Q)

Inputs (I) represent the physical digital and analog input signals wired to the PLC. Outputs (Q, from the German "Quelle") represent the physical output signals. Reading I0.0 tells you the state of digital input 0. Writing Q0.0 turns on physical output 0. For analog I/O, IW64 might be analog input channel 0, and QW64 might be analog output channel 0.

Timers (T) and Counters (C)

S7 timers and counters are special function elements. T0 through T255 are timer values (in S5 time format). C0 through C255 are counter values. These are less commonly accessed externally but available if you need to monitor timer states or counter accumulations.

How S7 Communication Works

The S7 protocol uses a connection-oriented communication model over TCP:

  1. TCP connection is established to the PLC on port 102.
  2. COTP connection request (Connection Oriented Transport Protocol) sets up the transport layer with the correct rack and slot number.
  3. S7 communication setup establishes the application-layer session.
  4. Read/Write requests are sent as S7 data frames specifying the memory area, DB number, byte offset, and length.

Rack and Slot Addressing

Each S7 PLC has a rack number and slot number that identifies the CPU module. For S7-1200 and S7-1500, this is almost always rack 0, slot 1. For S7-300 and S7-400, the rack/slot depends on the hardware configuration — you may need rack 0 slot 2 or other values depending on which module holds the CPU.

S7 Data Types

When reading from a PLC, the protocol returns raw bytes. Your software must interpret them based on the S7 data type:

Data Type
Size
Description
BOOL
1 bit
True/false (X addressing)
BYTE
1 byte
0–255
INT
2 bytes
Signed integer -32768 to 32767
DINT
4 bytes
Signed 32-bit integer
REAL
4 bytes
IEEE 754 float
STRING
Variable
First byte = max length, second byte = actual length, then characters

S7 vs Other Industrial Protocols

When comparing S7 against Allen-Bradley and other PLC brands, the key trade-off is direct native access versus vendor neutrality. Here is how S7 compares to Modbus TCP:

Factor
S7 Protocol
Modbus TCP
Vendor
Siemens only
Vendor-neutral
Data model
Native PLC memory
Register-based mapping
Data types
Rich (BOOL to STRING)
16-bit words only
Setup
Enter IP, connect
Enter IP + map registers
DB structure access
Direct by offset
Must map to registers
Security
S7-1500 has PUT/GET config
No built-in security
Tools required
TIA Portal or third-party
Many free tools

Accessing S7 PLCs Without TIA Portal

TIA Portal is the official Siemens engineering environment — and it costs thousands of dollars. For many field tasks, you do not need the full IDE. You just need to read a data block, check a sensor value, or write a setpoint. That is where a standalone S7 communication tool comes in.

Field reality: Commissioning engineers often carry a laptop and need to check PLC values on-site. Installing TIA Portal on every commissioning laptop is impractical — the software requires Windows, a powerful machine, and a 30+ GB installation. A lightweight native S7 client is far more practical.

MacTools S7 Explorer is a native macOS application that communicates directly with S7-1200 and S7-1500 PLCs over Ethernet. No TIA Portal, no Step 7, no Windows VM. For step-by-step connection instructions, see our guide on connecting to Siemens S7 PLCs from macOS. Enter the PLC IP address and connect. Browse data blocks, read and write values, monitor variables in real-time — all from a MacBook.

Frequently Asked Questions

What port does the S7 protocol use?

The S7 Communication protocol runs over TCP/IP on port 102. To connect, you establish a TCP connection to the PLC's IP address on port 102, then send a COTP connection request specifying the rack and slot, followed by an S7 communication setup. No additional ports are needed.

Can I read Siemens S7 PLC data without TIA Portal?

Yes. You can read and write S7 PLC data using third-party tools that implement the S7 Communication protocol directly. These tools connect to the PLC over Ethernet on port 102 and read data blocks, inputs, outputs, and marker memory. MacTools S7 Explorer is a native macOS application that does this without requiring TIA Portal, Step 7, or Windows.

What are the rack and slot numbers for S7-1200 and S7-1500?

For S7-1200 and S7-1500 PLCs, the rack and slot is almost always rack 0, slot 1. For older S7-300 and S7-400 PLCs, the values depend on the hardware configuration and may be rack 0 slot 2 or different values based on which module holds the CPU.

What is the difference between S7 protocol and Modbus?

S7 is Siemens' proprietary protocol that natively understands Siemens PLC memory areas (DB, I, Q, M, T, C) and supports rich data types including BOOL, INT, DINT, REAL, and STRING. Modbus is vendor-neutral but uses a flat register-based model where all data is mapped to 16-bit word addresses. S7 provides direct access to PLC variables by their actual addresses, while Modbus requires manual register mapping.

Try S7 Explorer for macOS

Native Mac app for reading and writing Siemens S7-1200/1500 data blocks. No TIA Portal. No Parallels. $29 one-time.

Get MacTools S7 Explorer

Related: Full SCADA System

Need continuous monitoring across Siemens, Modbus, and OPC-UA devices? Voltrus SCADA supports S7, Modbus TCP/RTU, OPC-UA, MQTT, BACnet, DNP3, and more. Lifetime license from $249.

Further Reading