Skip to content

SYSTEM Cited by 1 source

BGPKIT monocle

monocle is an open-source BGP command-line tool from BGPKIT. It queries precomputed datasets derived from public route-collector feeds (RIPE RIS, RouteViews, etc.) to answer operational and forensic questions about BGP: AS relationships, prefix origins, AS path samples, and BGP message search.

AS-relationship query (the Venezuela post's use case)

monocle as2rel 8048 21980

returns a confidence-score table over route collectors in the public as2rel-latest.json.bz2 dataset:

asn1 asn2 connected peer as1_upstream as2_upstream
8048 21980 9.9 % 0.6 % 9.4 % 0.0 %

Interpretation: - connected — % of the 1813 route-collector peers that see the two ASes as adjacent in at least one path - peer — % of those adjacencies that look like peer-to-peer - as1_upstream / as2_upstream — % where one is the upstream (provider) of the other

For the AS8048 ↔ AS21980 case: almost all paths containing both put AS8048 as upstream of AS21980, so the customer-provider direction (AS8048 → AS21980) is high-confidence. This matters forensically: if AS8048 is already AS21980's upstream, a route leak that re-exposes AS21980's prefixes through other providers does not give AS8048 any interception it doesn't already have — removing the MITM motive.

Why this is useful

  • Independent of any single vendor's telemetry. Route-collector data is publicly observable, so monocle results can corroborate / cross-check a Radar (Cloudflare) or bgp.tools view.
  • Direction of the relationship is explicit, not inferred. Many BGP analyses treat adjacency as symmetric; monocle separates peer from upstream from downstream, which is the distinction route-leak forensics hinges on.
  • CLI-scriptable. Useful inside incident-response pipelines that need to answer "is leaker X already upstream of origin Y?" per event.

Seen in

Last updated · 200 distilled / 1,178 read