interesting project. I am not the best resource here, but I will give it a go. Really tackling this problem will require you to exploit the data gathered from multiple layers of the networking stack, not just one layer.
1) Consider Deep Packet Inspection – you can look into each individual packet and examine the content, and using that you might be able to tell a fair bit about the users. However, AFAIK this is not a cheap method. However, as you are logging all packets, and don’t have to do this in real time, you may be able to find a cheaper solution
2) The obvious stuff – usage patterns, common destination IP’s
The issue here is that you really only have access to the Layer 2 data – MAC data, in this case. I think there might be a way to query stations on a network and get some data about them (not sure what, perhaps protocols they support, or NIC card info, or encryption available) so this might be of some use, if you already know a bit about your users.
I am not sure what you are given in this problem, so you may want to clarify that a bit. If you know nothing at the beginning, and have to identify users, that is a much harder problem than if you are given a list of users, and some info about the computer of each user.
3) If you want a humorous solution, you could simply disable the MAC’s one by one and see who storms out of their office
Also, one thing of interest to me is this – “I connected another system to the same switch which will capture all the packets across the switch in promiscuous mode.” Sounds like you are using a hub, not a switch. A hub emulates a typical LAN, meaning that all packets get sent to all stations and anyone in promiscuous mode can pick them up. However, a switch creates a virtual circuit between any two stations communicating, so no one can eavesdrop(it’s actually for performance reasons, but it also prevents eavesdropping).
So unless your sniffer is sitting between the switch and the router, or you are using a hub, then you cannot capture everyone’s packets. Note that if your sniffer is sitting between the hub and the router, then you cannot see communication between two stations on the network, as that only goes as far as the switch, and never to the router (as it has no need).
It seems like you really need to find some software that will help you dismantle the MAC frames. Also, you will probably want to see if there is any software to break SSL encryption, so you can possibly capture usernames/passwords being sent to the internet.
Sorry for such a long answer, HTHs!