Author: Joe Barr
The basic format for the watch command is simply watch command. Once started, watch keeps running until it is stopped. You don’t want to use watch to programs that keep running. If you do, you’ll be sorry.
For example, you do not want to issue a command like this one: watch xchat. That watch command would start a new copy of xchat running every 2 seconds, and keep on doing that until your system expired from lack of resources. Not a good thing.
Watch is made for commands that output data when executed and then stop. There are a lot of those to choose from: things like who, ls, df, and netstat.
Let’s try netstat as an example, and see what happens when we enter watch 'netstat -stu' at the CLI to create an interesting, almost real-time TCP/UDP connections summary monitor:
Every 2.0s: netstat -stu Thu May 19 15:45:09 2005
Tcp:
11263 active connections openings
50 passive connection openings
0 failed connection attempts
256 connection resets received
3 connections established
290774 segments received
299217 segments send out
657 segments retransmited
0 bad segments received.
5079 resets sent
Udp:
58029 packets received
316 packets to unknown port received.
0 packet receive errors
59566 packets sent
TcpExt:
1 packets pruned from receive queue because of socket buffer overrun
ArpFilter: 0
3192 TCP sockets finished time wait in fast timer
4 time wait sockets recycled by time stamp
20126 delayed acks sent
2 delayed acks further delayed because of locked socket
Quick ack mode was activated 780 times
2955 packets directly queued to recvmsg prequeue.
1446393 packets directly received from prequeue
177007 packets header predicted
241 packets header predicted and directly queued to user
TCPPureAcks: 19520
TCPHPAcks: 64828
Note that the first line is a watch title line, and is not part of the netstat output. It shows the frequency (2.0s) of the command, followed by the command being executed. On the right side of the title line, the current date and time are displayed. Even if nothing else on the screen changes, the time clicks as each two-second interval ends.
Or try a different view by netstat, this one showing active TCP connections and their current state:
Every 2.0s: netstat -t Thu May 19 16:05:40 2005 Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.0.101:50664 cs29.msg.dcn.yahoo:mmcc ESTABLISHED tcp 0 0 192.168.0.101:50788 internalmx1.vasof:imaps ESTABLISHED tcp 0 0 192.168.0.101:43686 208.53.170.81:6667 ESTABLISHED
In either case, for as long as you leave watch running, you’ll be seeing the latest output screen. You can use a couple of different watch options to highlight data that has changed. The -d option will highlight screen data that is different than it was on the previous screen. Add =cumulative to the -d option and the highlights become sticky, so that if a change has occurred at anytime since watch began running, it is highlighted and remains highlighted.
If 2 seconds isn’t the right frequency for your needs, you can specify a different time interval in seconds with the -n seconds argument. You can also choose not to display the watch title line by specifying -t. As always, man is your friend.
Watch is a simple, easy-to-use command. But it’s also one that can be just as clever as you are in coming up with new and interesting things you can do with it. If fact, I’ll bet a dollar to a doughnut that some of our ubergeek readers already have. Maybe they will share them in comments.
