`monocle rib` subcommand

[digizeph]

Description

At times, we would like to know what routes are being announced at any given timestamp. We should allow filtering by ASN or by registration country.

Expanded Scope: Multi-Timestamp RIB with SQLite Output

Beyond single-timestamp queries, a common investigation pattern requires extracting RIB state at multiple points in time (e.g., pre-event and post-event) and comparing them. Today this requires re-parsing the same large RIB files repeatedly for each question (prefix count, per-peer coverage, downstream ASN extraction, etc.), which is slow and error-prone.

Proposed Behavior

Single timestamp:

monocle rib --ts 2025-09-01T12:00:00Z --country IR --sqlite-path /tmp/rib.sqlite3
monocle rib --ts 2025-09-01T12:00:00Z -o 15169 --json

Multiple timestamps (avoids re-downloading/re-parsing):

monocle rib \
  --ts 2025-09-01T12:00:00Z \
  --ts 2025-09-01T18:00:00Z \
  --country IR \
  --sqlite-path /tmp/rib_snapshots.sqlite3

When multiple --ts values are provided, all RIBs are written to the same SQLite database with a rib_ts column to distinguish them. This lets users perform diff and comparison queries entirely in SQL without needing a separate rib diff subcommand.

SQLite Schema Extension

When --sqlite-path is used, the output table should include at minimum:

Column	Description
rib_ts	Which --ts value this entry belongs to
prefix	IP prefix
peer_asn	Collector peer ASN
peer_ip	Collector peer IP
as_path	AS path
origin_asns	Origin ASN(s)
collector	Route collector
next_hop	BGP next hop
communities	BGP communities

With rib_ts present, RIB-to-RIB diff is a trivial SQL query:

-- Prefixes lost between two ribs
SELECT prefix FROM elems WHERE rib_ts = '<pre>' AND origin_asns = '<ASN>'
EXCEPT
SELECT prefix FROM elems WHERE rib_ts = '<post>' AND origin_asns = '<ASN>';

-- Per-peer visibility change
SELECT rib_ts, peer_asn, COUNT(DISTINCT prefix) AS pfx_count
FROM elems
WHERE origin_asns = '<ASN>'
GROUP BY rib_ts, peer_asn
ORDER BY peer_asn, rib_ts;

This eliminates the need for a dedicated rib diff command — users get full flexibility through SQL.

Use Cases from BGP Investigations

1. Outage scoping — Extract RIB state before and after an event for a country or ASN, then diff in SQL to quantify prefix loss and identify which peers lost visibility.

2. Baseline extraction — A pre-event RIB provides the prefix list needed to filter BGP update files (since withdrawal messages carry no AS path, you must filter updates by prefix, not origin ASN). Being able to export this to SQLite once and query it multiple ways avoids re-parsing multi-million-entry RIB files 3-5 times per investigation.

3. Shared transit hub identification — Query a RIB with --as-path filter (e.g., routes transiting a specific ASN) to find all downstream origin ASNs behind a transit provider.

4. Per-peer coverage analysis — From a single SQLite export, compute how many prefixes each collector peer carries for a given origin ASN, without re-parsing the RIB file.

Filters

Should support the same filter set as monocle search/monocle parse:

• --origin-asn / -o — Filter by origin ASN
• --country — Filter by origin ASN registration country (new)
• --prefix / -p — Filter by prefix
• --as-path / -a — Filter by AS path regex
• --peer-asn / -J — Filter by collector peer ASN
• --collector / -c — Limit to specific collectors
• --include-sub / --include-super — Sub/super prefix matching

Interaction with #117

For large-scale country-level analysis, the prefix list or ASN list may be very large. This feature would benefit from the file-based filter input proposed in #117.