Sniffing a browser authentication

A 401 response message is used by an web server to challenge the authorization of a user agent connecting anonymously. After receiving a 401 response, a browser will include an Authorization header field with the next request. The Authorization field contains credentials with the authentication information of the user agent for the resource being requested.

I used Wireshark to sniff this request-response stream on an Apache web server (asking for a virtual host called “/manual” protected by Basic authentication), and it looks like this:

Client Server
SYN
SYN,ACK
ACK
HTTP Request(GET /manual)
ACK
HTTP 401 Authorization Required response to browser including WWW-Authenticate: Basic header
FIN,ACK
ACK
FIN,ACK
ACK

(Repeat TCP sequence again, but browser sends proper credentials this time, and gets a 304 Not Modified response)