We spent time today investigating a strange issue regarding Bro's behavior with libpcap's pcap_set_timeout value set to 1. This seems to be an ancient bit of code to work around a very old FreeBSD bug (which I have to imagine isn't a problem anymore). We at least partially addressed the problem we were encountering by changing this value to 1000 which is what tcpdump uses.
I propose that we copy tcpdump's behavior and change this to 1000 and remove the old comment. We should be able to get some testing of this on large networks to make sure it doesn't break any existing behavior and I doubt there is any current benefit to be derived from the current setting.
I implemented a proposed solution to this in topic/seth/fix-pcap-set-timeout.
I'll see if I can get someone to test it and confirm that it works before filing a merge request.