diff --git a/docs/nmap.1 b/docs/nmap.1
index aa23c4778..94637450b 100644
--- a/docs/nmap.1
+++ b/docs/nmap.1
@@ -2,12 +2,12 @@
.\" Title: nmap
.\" Author: [see the "Author" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2
-.\" Date: 05/28/2010
+.\" Date: 06/07/2010
.\" Manual: Nmap Reference Guide
.\" Source: Nmap
.\" Language: English
.\"
-.TH "NMAP" "1" "05/28/2010" "Nmap" "Nmap Reference Guide"
+.TH "NMAP" "1" "06/07/2010" "Nmap" "Nmap Reference Guide"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
@@ -659,13 +659,14 @@ is a prominent character in the scan name, usually the first\&. The one exceptio
.PP
\fB\-sS\fR (TCP SYN scan) .\" -sS .\" SYN scan
.RS 4
-SYN scan is the default and most popular scan option for good reasons\&. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls\&. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections\&. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap\'s FIN/NULL/Xmas, Maimon and idle scans do\&. It also allows clear, reliable differentiation between the
+SYN scan is the default and most popular scan option for good reasons\&. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls\&. It is also relatively unobtrusive and stealthy since it never completes TCP connections\&. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap\'s FIN/NULL/Xmas, Maimon and idle scans do\&. It also allows clear, reliable differentiation between the
open,
closed, and
filtered
states\&.
.sp
-This technique is often referred to as half\-open scanning, because you don\'t open a full TCP connection\&. You send a SYN packet, as if you are going to open a real connection and then wait for a response\&. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non\-listener\&. If no response is received after several retransmissions, the port is marked as filtered\&. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received\&.
+This technique is often referred to as half\-open scanning, because you don\'t open a full TCP connection\&. You send a SYN packet, as if you are going to open a real connection and then wait for a response\&. A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non\-listener\&. If no response is received after several retransmissions, the port is marked as filtered\&. The port is also marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received\&. The port is also considered open if a SYN packet (without the ACK flag) is received in response\&. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection (see
+\m[blue]\fB\%http://nmap.org/misc/split-handshake.pdf\fR\m[])\&.
.RE
.PP
\fB\-sT\fR (TCP connect scan) .\" -sT .\" connect scan
diff --git a/docs/refguide.xml b/docs/refguide.xml
index 57f00fa40..55084c0bc 100644
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -1132,9 +1132,9 @@ scans.
SYN scan is the default and most popular scan option for good
reasons. It can be performed quickly, scanning thousands of ports per
-second on a fast network not hampered by restrictive firewalls. SYN scan
-is relatively unobtrusive and stealthy, since it never completes TCP
-connections. It also works against any compliant TCP stack rather
+second on a fast network not hampered by restrictive firewalls. It is also
+relatively unobtrusive and stealthy since it never completes TCP
+connections. SYN scan works against any compliant TCP stack rather
than depending on idiosyncrasies of specific platforms as Nmap's
FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear,
reliable differentiation between the open,
@@ -1148,7 +1148,7 @@ response. A SYN/ACK indicates the port is listening (open), while a
RST (reset) is indicative of a non-listener. If no response is
received after several retransmissions, the port is marked as
filtered. The port is also marked filtered if an ICMP unreachable
-error (type 3, code 1, 2, 3, 9, 10, or 13) is received.
+error (type 3, code 1, 2, 3, 9, 10, or 13) is received. The port is also considered open if a SYN packet (without the ACK flag) is received in response. This can be due to an extremely rare TCP feature known as a simultaneous open or split handshake connection (see ).