---[ "One stream, two messages" ]---

TL;DR: 
Due to the difference in TCP/IP stack implementations,
specifically in stream reassembly, a NIDS can see a different
stream than the target.

original hacker paper:
http://insecure.org/stf/secnet_ids/secnet_ids.html

later industry paper:
http://www.symantec.com/connect/articles/evading-nids-revisited

academic:
https://www.usenix.org/legacy/events/sec01/full_papers/handley/handley.pdf
http://www.icir.org/vern/papers/activemap-oak03.pdf

Keep peeking at http://nmap.org/book/tcpip-ref.html
Free guide: http://www.tcpipguide.com/

---[ More discussion of practical TCP stream reassembly ]---

Tools:
http://stackoverflow.com/questions/6151417/complete-reconstruction-of-tcp-session-html-pages-from-wireshark-pcaps-any-to

Paper:
http://www.icir.org/vern/papers/TcpReassembly/TcpReassembly.pdf