I want to decrypt ssh traffic in a virtual environment such as OpenNebula. For this purpose I extracted the six ssh keys (IVs, Encryption keys and integrity keys) from the function key_derive_keys from the openssh/opensshportable code. If I then trace a ssh connection between a server and a client I can decrypt traffic if the two parties use AES-CBC mode without problems. But when the parties use AES-CTR the keys derived from the same method are no longer working. So my question is: Do I maybe extract the wrong IV? So do I have to trace a different function/struct? My code for the AES-CTR is:

key="1A0A3EBF96277C6109632C5D96AC5AF890693AC829552F33769D6B1A4275EAE2" 
iv="EB6444718D73887B1DF8E1D5E6C3ECFC" 

key_hex=binascii_a2b_hex(key)  
iv_hex=binascii_a2b_hex(iv)    
aes = AES.new(key_hex, AES.MODE_CTR, initial_value = iv_hex, nonce=b' ')    
decrypted = aes.decrypt(binascii.a2b_hex(cipher).rstrip())     
print(decrypted) 

Edit: created a new thread for a related but vers similar Problem here: Get the counter value after decrypt finished Maybe someone has an idea?

Edit: I fixed the problem meanwhile. The problem was that the counter is already incremented at the authentication step, which means that when the encryption starts the counter is a little bit higher than the IV. Which means that I had the correct keys, but the counter was wrong. I let this thread open for any one interessted.