To whom it may concern.
After establishing the connection(syn-syn,ack-ack) via the rsh, the connection comes to the ESTABLISH state, and all the requests will be moved to another port(so the rshd can further handle more connections).
My problem was on how to pass the command in the last "ack" packet. The "ack" packet is itself a data packet so the command can be transfered in the "payload" field.
a bit of quotes from "man rshd":
The server reads characters from the socket up to a NUL (`\0') byte.
The resultant string is interpreted as an ASCII number, base 10.
3. If the number received in step 2 is non-zero, it is interpreted as
the port number of a secondary stream to be used for the stderr. A
second connection is then created to the specified port on the
client's machine.
...
5. A null terminated user name of at most 16 characters is retrieved on
the initial socket. This user name is interpreted as the user iden-
tity on the client's machine.
6. A null terminated user name of at most 16 characters is retrieved on
the initial socket. This user name is interpreted as a user iden-
tity to use on the server's machine.
7. A null terminated command to be passed to a shell is retrieved on
the initial socket. The length of the command is limited by the
upper bound on the size of the system's argument list.
So. In #3 it is said that the first characters up to a NUL byte are interpreted as port number for secondary connection. But I didn't need the secondary connection, so I put "0\0" in the beginning of the command.
Next #5 and #6 specify the usernames of the client's machine and the server's machine, separated by NUL's. So I put "0\0username1\0username1\0"
And in the #7 it is said that there a null terminated command can be, so my command in the end was "0\0username1\0username2\0command\0".