Software-defined networking (SDN) is programmable, centrally managed, and flexible with topology alteration. It allows network administrators to manage network flows easily from a centralized controller. However, these new features also lead to new security threats with applications, controllers, OpenFlow switches, topology management and so on. In this work, we study the attack of compromising a switch, and design a method to detect disobedient forwarding in the flow table. To enhance the detection efficiency and minimize additional network traffic, we reduce the number of detection packets necessary by aggregating the flow entries in a short time. To aggregate the flow entries, we select entries whose match fields are able to compose a valid packet from different switches. The switches on which the entries are form a path that allows the packet to travel through for rapid detection. We evaluate the effectiveness of this detection method in various topology types typically found in a data center network by Mininet simulation. The experimental result demonstrates that this method can examine the forwarding correctness of nearly 3 flow entries simultaneously on average for each detection packet. Furthermore, since the positive and negative factors to the growth of aggregation rates break even in a large topology, the scale of the network topology does not affect the efficiency of the method significantly.