Perhaps you need to read the man pages for TCPdump...or better yet, let me post it here for you:

IP Fragmentation

Fragmented Internet datagrams are printed as
(frag id:size@offset+)
(frag id:size@offset)
(The first form indicates there are more fragments. The
second indicates this is the last fragment.)

Nowhere in your trace does this appear. Not to metion the full TCP header would not appear in every datagram if the packet was fragmented. You would see an output like this:

arizona.ftp-data > rtsg.1170: . 1024:1332(308) ack 1 win 4096 (frag 595a:328@0+)
arizona > rtsg: (frag 595a:204@328)
rtsg.1170 > arizona.ftp-data: . ack 1536 win 2560

just because the DF bit is not set doesn't mean that the packet is automatically fragmented. It is just set when the packet is absolutely NOT fragmented.

Also, since you know alot about TCP/IP, you should know that the SYN bit is also set in the first step of the TCP three-way handshake. Therefore this would be the expected output from a user running a TCP-connect scan. (which happens to be the default for nmap), and again reinforces my position that the attacker was most likely NOT very knowledgeable.

Also, I am trying to continue to provide informative responses based on the facts at hand. I don't think it is appropriate to attemt to try to degrade me by telling me I know know what I am doing. I have LOTS of experience (none of which I need to get into specifically), you should be able to tell based on my posts. I am not perfect and I will be the first to admit it. The goal here is for everybody to learn and comments like that are very conter-productive. If I do make a mistake, I would appreciate you come forward like a man and tell me I am wrong and why, so I can learn from my mistakes.

If you find something on this, I would appreciate that you post links or something with factual evidence, instead of telling me to go read a book.

Enough Said......