"show policy-map type inspect zone-pair sessions" ..does a great job of showing me currently active sessions in the inspection rules. What if I want to see what traffic is currently being dropped by the class default drop? How could I view what traffic is being prevented by the ZBPF?
Class-map: class-default (match-any)
Drop (default action)
22386 packets, 1473397 bytes
Another handy tool to use when troubleshooting ZBFW is the 'ip inspect log drop' command. When this is enabled, a syslog message will be generated for packets that are dropped due to a firewall rule. The syslogs are usually pretty good about specifying a reason why the traffic was dropped as well.
Hope that helps.