Hi, I am looking for documents or resources that can help docoding ssh
network traffic. For example, I have the following diffie-hellman key
exchange reply payload captured, how exactly do I go ahead figure out
what the payload means?

0000 00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00
...............E.
0010 00 cc 33 79 40 00 40 06 08 b1 7f 00 00 01 7f 00
...3y@.@.........
0020 00 01 00 16 d3 40 3f bb 8d 38 40 1f 65 f3 80 18
......@?..8@.e...
0030 21 78 fe c0 00 00 01 01 08 0a 02 f0 b9 17 02 f0
!x..............
0040 b9 16 00 00 00 94 08 1f 00 00 00 81 00 ca ad dd
.................
0050 ec 16 67 fc 68 b5 fa 15 d5 3c 4e 15 32 dd 24 56
...g.h.... 0060 1a 1a 2d 47 a1 2c 01 ab ea 1e 00 73 1f 69 21 aa
...-G.,.....s.i!.
0070 c4 07 42 31 1f df 9e 63 4b b7 13 1b ee 1a f2 40
...B1...cK......@
0080 26 15 54 38 9a 91 04 25 e0 44 e8 8c 83 59 b0 10
&.T8...%.D...Y..
0090 f5 ad 2b 80 e2 9c b1 a5 b0 27 b1 9d 9e 01 a6 f6
...+......'......
00a0 3a 6f 45 e5 d7 ed 2f f6 a2 a0 08 50 50 a7 d0 cf
E.../....PP...
00b0 30 7c 3d b5 1d 24 90 35 59 07 b4 42 7c 23 a9 8d
0|=..$.5Y..B|#..
00c0 f1 eb 8a be f2 ba 20 9b b7 b1 b5 a7 af 00 00 00 ......
..........
00d0 01 05 00 00 00 00 00 00 00 00 ..........

I looked through openssh/openssl source code and was able to identify
that these are the result of the following code in kexgexs.c in openssh

98 debug("SSH2_MSG_KEX_DH_GEX_GROUP sent");
99 packet_start(SSH2_MSG_KEX_DH_GEX_GROUP);
100 packet_put_bignum2(dh->p);
101 packet_put_bignum2(dh->g);
102 packet_send();

The DH and BIGNUM structures can be found in the openssl source tree.
However, when I attempt to decode the payload, I get very confusing
result:

sizeof DH = 76
dh->pad: -2130706432 81000000
dh->version: -575813120 ddadca00

No way the pad can be that huge and the version does not seem to make
any sense.

I would appreciate some help if you can, thank you!

Fei