Network port and vulnerability scanners are important tools both for data protection and for network attacking. Network scanner could be a standalone application, part of another application (network worm, for example) or a cloud engine. The most famous cloud network scanner is Shodan.io. Shodan claims to be an Internet of things (IoT) security scanner. This search engine constantly and continuously checks hosts in global network for opened ports and well-known network applications. Any device connected to IPv4 global network and available for incoming connections will be sooner or later discovered by Shodan and placed in public database (usually in one week). While scanning, Shodan is using stealth technology to complicate blocking itself by intrusion preventing system (IPS). In our work, we study the behavior of Shodan in IPv4 Internet. For this purpose, we use three kinds of traps: ≪dark≫ trap records all incoming packets and does not respond to them or do any other activity; ≪white≫ trap, in opposite, gives positive HTTP answer to any incoming request and ≪red≫ trap, gives RST flag to any incoming connection. Information gathered from these traps and information published on the Shodan site about these traps give the opportunity to make a suggestion about Shodan search and stealth algorithms. This article contains named suggestions and statistical characteristics of scanning process. Studying search algorithms will simultaneously help to improve other network scanners and to make more effective IDS.