Why GCM is used more often than CTR?

I've seen (on Wikipedia) in the more recent version of TLS, the Counter-mode was not used. But the Galois-Counter-mode was used?

What is the advantage to use the GCM instead of using the Counter-mode?

Very basically TLS has always used a form of authenticated encryption. For this it used HMAC to calculate the authentication tag, followed by CBC encryption. This has the unfortunately disadvantage that padding oracle attacks are possible before the authentication tag is verified.

TLS 1.2 later added support for GCM, which is an authenticated cipher. It is an AEAD mode of encryption, Authenticated encryption with Associated Data. This means that it will verify an authentication tag as part of the decryption procedure. This offers message integrity and authentication, as HMAC + CBC did before that.

However, a good authenticated cipher has advantages over such constructions. First of all, it offers a standardized mode of operation. GCM and CCM are standardized ciphers by NIST. That als means that secure, accelerated implementations are generally found in crypto libraries. It also means that mistakes such as padding oracle attacks or forgetting to include the IV are avoided.

Finally, GCM is very efficient on CPU's that have support for specific instructions. For Intel/AMD this would be the PCLMULQDQ instruction (ARM has similar acceleration on most chips used for mobile devices). If that's missing an authenticated cipher that targets speed on general hardware such as ChaCha20/Poly1305 may be preferred.

CTR provides similar performance as CBC; for both modes you perform one block cipher operation for each block of plaintext (i.e. one AES block operation for each 16 bytes). The additional benefits of CTR with regard to - for instance - parallelization / multi-threaded operation are not enough to create a special CTR+HMAC mode.

Finally, CTR is still used in TLS as it is the underlying cipher mode for CCM / GCM. So it is used, but it is hidden from plain sight.

Counter mode is a mode that offers confidentiality and describes the application of the block cipher algorithm to a set group of input data, called counters, in order to produce a set group of key streams which are XORed with the plaintext to produce the ciphertext and vice versa. Its simplicity and maturity make this one mode of operation as an attractive option. However, counter mode does not protect message integrity at all.

The mechanism for protecting the privacy of plaintext within GCM is a variant of Counter mode, with a specific incremental function, to produce the necessary sequence of counter blocks. The first counter block for plaintext encryption is produced from a growing block generated by IV.

GCM consists of two functions called authenticated encryption and authenticated decryption (authenticated decryption). Certified encryption encrypts confidential data and computes an authentication tag (T) common for confidential data and for AADs. Certified decryption decrypts the confidential data and verifies its authenticity through the authentication tag. An implementation may limit the input data to non-confidential data with no confidential data at all. The resulting version of GCM is called GMAC. Therefore, in the case that we only have AAD, the result of the GMAC operation is respectively the calculation and confirmation of the Tag for the non confidential data.

GCM offers data authentication assurance (up to 64 gigabytes for each invocation) using a universal hash function that defined in the binary Galois field. GCM can also provide certification assurance for additional data (infinite-length records for each invocation) which are not encrypted. If the input of the GCM is restricted to non-encryption data, then the output resulting from the GCM specialization is called GMAC and it is simply an authentication mode of the input data. Henceforth all declarations for the GCM will also apply to the GMAC. GCM provides a stronger assurance of certification than one (non-cryptographic) checksum or code error detection and more specifically it can detect a random modification of the data as well as a deliberate unauthorized modification.

Finnaly It is obvious that this algorithm is used in applications with high throughput requirements. It is one of the suitable algorithms when the criterion for performance is not the area and consumption, but the speed. Also important is the fact that, in addition to data encryption, it also provides certification, which is essential when it comes to storage networks or tapes. It is a flexible but at the same time powerful algorithm. Low area and consumption implementations of this algorithm suitable for wireless and mobile applications have also been presented.