May 23, 2005

CLI Magic: Watch it

Author: Joe Barr

This week we'll take a look at a very simple command called watch. You know what they say, a watched pot never boils. That's why it makes good sense to take advantage of this little tool to watch it for you. Waiting for mail? Want to see if a job has completed? Watch can help. At the CLI, of course. Climb down out of your GUI and take a look.Watch allows you to see a real-time display of the latest output -- the first screenful of output -- from a command. So instead of you having to retype the command 50 times while you wait for whatever to occur, you tell watch to do it for you. By default, watch reissues your command every 2 seconds.

The basic format for the watch command is simply watch command. Once started, watch keeps running until it is stopped. You don't want to use watch to programs that keep running. If you do, you'll be sorry.

For example, you do not want to issue a command like this one: watch xchat. That watch command would start a new copy of xchat running every 2 seconds, and keep on doing that until your system expired from lack of resources. Not a good thing.

Watch is made for commands that output data when executed and then stop. There are a lot of those to choose from: things like who, ls, df, and netstat.

Let's try netstat as an example, and see what happens when we enter watch 'netstat -stu' at the CLI to create an interesting, almost real-time TCP/UDP connections summary monitor:

Every 2.0s: netstat -stu                                         Thu May 19 15:45:09 2005
    11263 active connections openings
    50 passive connection openings
    0 failed connection attempts
    256 connection resets received
    3 connections established
    290774 segments received
    299217 segments send out
    657 segments retransmited
    0 bad segments received.
    5079 resets sent
    58029 packets received
    316 packets to unknown port received.
    0 packet receive errors
    59566 packets sent
    1 packets pruned from receive queue because of socket buffer overrun
    ArpFilter: 0
    3192 TCP sockets finished time wait in fast timer
    4 time wait sockets recycled by time stamp
    20126 delayed acks sent
    2 delayed acks further delayed because of locked socket
    Quick ack mode was activated 780 times
    2955 packets directly queued to recvmsg prequeue.
    1446393 packets directly received from prequeue
    177007 packets header predicted
    241 packets header predicted and directly queued to user
    TCPPureAcks: 19520
    TCPHPAcks: 64828

Note that the first line is a watch title line, and is not part of the netstat output. It shows the frequency (2.0s) of the command, followed by the command being executed. On the right side of the title line, the current date and time are displayed. Even if nothing else on the screen changes, the time clicks as each two-second interval ends.

Or try a different view by netstat, this one showing active TCP connections and their current state:

Every 2.0s: netstat -t                                      Thu May 19 16:05:40 2005
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 ESTABLISHED
tcp        0      0     internalmx1.vasof:imaps ESTABLISHED
tcp        0      0      ESTABLISHED

In either case, for as long as you leave watch running, you'll be seeing the latest output screen. You can use a couple of different watch options to highlight data that has changed. The -d option will highlight screen data that is different than it was on the previous screen. Add =cumulative to the -d option and the highlights become sticky, so that if a change has occurred at anytime since watch began running, it is highlighted and remains highlighted.

If 2 seconds isn't the right frequency for your needs, you can specify a different time interval in seconds with the -n seconds argument. You can also choose not to display the watch title line by specifying -t. As always, man is your friend.

Watch is a simple, easy-to-use command. But it's also one that can be just as clever as you are in coming up with new and interesting things you can do with it. If fact, I'll bet a dollar to a doughnut that some of our ubergeek readers already have. Maybe they will share them in comments.

Click Here!