WhoWatch Utility


Whowatch is an interactive, ncurses-based, process and users monitoring tool which updates information in real time. It can be described as an interactive mix of ps, pstree, lsof, w, finger and kill.



 sudo apt-get install whowatch 

CentOS Redhat – try RPMforge repos or download from site below and install


Execute the command whowatch and the ncurses interface will appear with the menu as shown below, you can then drill into processes etc.

 $ whowatch 








Recover deleted files with scalpel


Scalpel is a file carving and indexing application that runs on Linux
and Windows. The first version of Scalpel, released in 2005, was
based on Foremost 0.69. There have been a number of internal releases
since the last public release, 1.60, primarily to support our own
research. The newest public release v2.0, has a number of additional
features, including:

  • minimum carve sizes.
  • multithreading for quicker execution on multicore CPUs.
  • asynchronous I/O that allows disk operations to overlap with pattern
  • matching–this results in a substantial performance improvement.
  • regular expression support for headers/footers.
  • embedded header/footer matching for better processing of structured
  • file types that may contain embedded files.




ioping – monitor I/O latency in real time


This tool lets you monitor I/O latency in real time. It shows disk latency in the same way as ping shows network latency.

Show disk I/O latency using the default values and the current directory, until interrupted:

 $ ioping .
4096 bytes from . (ext4 /dev/sda3): request=1 time=0.2 ms
4096 bytes from . (ext4 /dev/sda3): request=2 time=0.2 ms
4096 bytes from . (ext4 /dev/sda3): request=3 time=0.3 ms
4096 bytes from . (ext4 /dev/sda3): request=4 time=12.7 ms
4096 bytes from . (ext4 /dev/sda3): request=5 time=0.3 ms
--- . (ext4 /dev/sda3) ioping statistics ---
5 requests completed in 4794.0 ms, 364 iops, 1.4 mb/s
min/avg/max/mdev = 0.2/2.8/12.7/5.0 ms
Measure disk seek rate (iops, avg) 
 $ ioping -R /dev/sda

--- /dev/sda (device 465.8 Gb) ioping statistics ---
186 requests completed in 3004.6 ms, 62 iops, 0.2 mb/s
min/avg/max/mdev = 6.4/16.0/26.8/4.7 ms
Measure disk sequential speed (mb/s) 
 $ ioping -RL /dev/sda

--- /dev/sda (device 465.8 Gb) ioping statistics ---
837 requests completed in 3004.1 ms, 292 iops, 72.9 mb/s
min/avg/max/mdev = 2.0/3.4/28.9/2.0 ms 


How to take a KVM Snapshot


KVM Snapshots

To take a snapshot of a guest image:

# Shut down virtual machine first.

 host:$ cd path to images 
 host:$ sudo qemu-img snapshot -l machine.img # list snapshots in an image 
 host:$ sudo qemu-img snapshot -c snapshotName machine.img # create a new snapshot for a machine 

# Start virtual machine. Modify data. Break something. Shut down virtual machine.

 host:$ sudo qemu-img snapshot -a snapshotName machine.img # apply a snapshot 

To do this, the guest image needs to be qcow2, not raw. To check what type of image it is, run:

 host:$ sudo file /var/lib/libvirt/images/$MACHINE.img 

It should say:
MACHINE.img: Qemu Image, Format: Qcow , Version: 2
If your guest image is raw, you can convert it to qcow2 by doing (and being careful with an image that contains important data or configuration):

# Show down virtual guest first

 host:$ sudo qemu-img convert -O qcow2 /var/lib/libvirt/images/$MACHINE.img \
/var/lib/libvirt/images/$MACHINE.img.qcow2 && \
sudo mv /var/lib/libvirt/images/$MACHINE.img.qcow2 /var/lib/libvirt/images/$MACHINE.img 
 host:$ sudo chmod 600 /var/lib/libvirt/images/$MACHINE.img 

TO Delete Snapshot:

 qemu-img snapshot -d Flounder-Gui-Base Flounder-GUI.img 

Where Flounder-Gui-Base is the snapshot reference name and Flounder-GUI.img is the actual Qcow2 image vm file.


Monitor Linux Directories with incrond (inotify)

If you need to monitor certain directories or even files you can use this excellent utility incrond which uses inotify to advise you of any changes that have been made to file system events. For example if you wanted to be sent an email when changes to the hosts file have been made or if a certain backup directory has been modified.

It consists of a daemon and a table manipulator, here are the list of inotify events that can be specified:

  • IN_ACCESS File was accessed (read)
  • IN_ATTRIB Metadata changed (permissions, timestamps, extended attributes, etc.)
  • IN_CLOSE_WRITE File opened for writing was closed
  • IN_CLOSE_NOWRITE File not opened for writing was closed
  • IN_CREATE File/directory created in watched directory
  • IN_DELETE File/directory deleted from watched directory
  • IN_DELETE_SELF Watched file/directory was itself deleted
  • IN_MODIFY File was modified
  • IN_MOVE_SELF Watched file/directory was itself moved
  • IN_MOVED_FROM File moved out of watched directory
  • IN_MOVED_TO File moved into watched directory
  • IN_OPEN File was opened


To install use your package managers.

 sudo apt-get install incron 


 yum install incron 

The configuration files in /etc are listed here with a brief description.

  • /etc/incron.conf – incron config file
  • /etc/incron.d/ – put config files here for incron to read.
  • /etc/incron.allow – users allowed to use incron.
  • /etc/incron.deny – users denied to use incron.


1. Create a simple file monitor:

Edit incrontab to create a monitor.

 incrontab -e 

Run logger command when file created or deleted from /testincron directory:

 /testincron IN_ALL_EVENTS logger "/testincron action for $# file" 

Save and close the file. Now cd to /testincron and create a file:

$ cd /testincron
$ >file1
$ rm file1

To see message, enter:

 $ sudo tail -f /var/log/messages 

2. Monitor changes to the hosts file:

Edit incrontab to create a monitor (need to be root).

 sudo incrontab -e 

Add entry to check hosts file changes:

 /etc/hosts IN_MODIFY /scripts/mailhostschange.sh [email protected]/$# 

Now create the mail command in the script file mailhostschange.sh that we are referencing above so that it can email us the alert when hosts file has changed.

mail -s "!!ALERT!! Hosts file modification has been detected" [email protected]

Make a change to the hosts file and an email should be received at [email protected] or whatever email address you specify. NOTE: It is assumed mailutils are installed and that the server can actually send mail via postfix/sendmail and so forth.

Reference links:


XenServer Boot error from fstab

If you modify a fstab file on Citrix XenServer 6.2 or higher and made an error which results in the server not booting, you can quickly do this to get going again:

mount -n -o remount /

Then edit the fstab with vi and fix the error or comment it out, and reboot the server.

Reference site: