Hi Chuck,
Yes you could build a plugin to parse the Gnutella protocol fairly easily with Unsniff. That part is straight forward.
I guess you would be interested in reconstructing actual files transferred over these networks. You could do that too with Unsniff, but it will require some coding. I can help with that part, we are lucky because most Gnutella traffic is unencrypted today.
Tools like Unsniff and Wireshark are great for pulling in traffic dumps (pcaps) of a finite size, hopefully pre filtered.
I think you want to look at our new product called Trisul Network Metering and Forensics.
www.unleashnetworks.com/products/trisul.html.
In a nutshell, Trisul listens to traffic and indexes raw content and flows with fine grained traffic statistics. This enables you to retro analyze (back in time - as much as disk space allows) incidents.
Sorry for the loong reply.
You can also email me at vivek [ at ] unleashnetworks if you want to discuss a bit more about this.
Thanks,
Vivek R
Unleash Networks