In my test environment, netusage.sqlite on macOS 10.15.5, I found a case where an entry for a process is in the ZPROCESS table, but not in the ZLIVEUSAGE table.

In such a case, there is no data in ZWIFIIN, ZWIREDOUT, etc., but the ZFIRSTTIMESTAMP in the ZPROCESS table can be referenced. I consider ZFIRSTTIMESTAMP alone to be an important artifact.

Therefore, I would like to suggest the following change to the SQL query (replace "zprocess p" and "zliveusage lu" in the FROM clause).

SELECT pk.z_name as item_type ,p.zprocname as process_name, 
                p.zfirsttimestamp as first_seen_date, 
                p.ztimestamp as last_seen_date,
                lu.ztimestamp as usage_since, 
                lu.zwifiin, lu.zwifiout,lu.zwiredin,lu.zwiredout,lu.zwwanin,lu.zwwanout  
                FROM zprocess p LEFT JOIN zliveusage lu ON p.z_pk = lu.zhasprocess  
                LEFT JOIN z_primarykey pk ON p.z_ent = pk.z_ent  
                ORDER BY process_name

What do you think?

I'm also attaching a sample file.
netusage_sample.zip

The entry for "curl" is recorded in the ZPROCESS table, but not in ZLIVEUSAGE.
By the way, I don't know why, but the value of ZTIMESTAMP for curl is negative.

Interesting find. I will take a look this weekend.

Yes, good idea. I will make the change.

About the "curl" process, the date of -63114076800 corresponds to the date 0001-01-01 00:00:00 according to Apple. It might as well be blank or NULL !

I have also modified my date interpreter function ReadMacAbsoluteTime to recognize this date now.

Changes made in v1.4.2 (no release)!